How to End Phishing With RSS
The Register is running a largely unsurprising story that reveals that UK punters are still falling for phishers. I imagine susceptibility to phishing isn’t limited to the UK. If you have active items on eBay (for example) just how are you supposed to know that an email purporting to be about an item you have for sale is a fake? They tend to look pretty convincing these days.
The obvious solution would seem to be to give users the option of subscribing to an RSS feed instead of email notifications. Email is pushed; in spite of any appearance to the contrary RSS is a pulled - nobody can send you an RSS feed you haven’t subscribed to. It turns out that this isn’t an original thought: Will Pate beat me to it. So, what about it?
September 26th, 2006 at 12:28 am
It’s a great idea in theory, but I think it has a way to go before joe public can use it. To begin with, most users don’t have a clue what an RSS/Atom feed is - hopefully the functionality in IE7/Safari/Firefox/Opera will go some way towards rectifying that.
Secondly, you need to deal with authentication - you don’t really want your personal ebay / paypal / bank / etc account feed to be public, do you? The thing is, you can’t do that until the most popular feed-readers support SSL, http-auth, etc. Some of the big names still don’t.
Much more viable in the longer term methinks. Mind you, there’s nothing to stop them implementing it now for the likes of you and me :)
September 26th, 2006 at 8:04 am
Hence offering it as an option - to wean people off email.
It only has to be as secure as email currently is - it’s not going to be used for anything that they don’t currently put in an email notification. Generating a random, unguessable feed URL gets you just about as much security as mail gives you.