Yahoo is introducing a new way to protect people from phishing attacks. They are going to let you create a seal that will be displayed when you visit an authentic Yahoo! webpage.
Good so far. But, I have a couple problems with this new method.
1) It is tied to an individual computer. Yahoo says that the “seal is a secret between the computer you set it up on and Yahoo!” I don’t really like my computer to have secrets from me, but that’s a different issue. If you want to use this anti-phishing technique on a work computer and/or multiple home computers, you will need to create a different seal for each one. That just seems like a lot of work.
2) It doesn’t work.
Don’t believe me? Let’s look over the FAQ and read the response to the question “What if I don’t see my sign in seal?”
The correct answer should be run away. Shut your browser, clear you cache, delete your cookies and thank your diety of choice that the seal protected you from a phishing attack.
But, that is not the correct answer according to Yahoo!
You could be on a fraudulent site, but there might be other reasons why you can’t see it. For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you’re using a partner or international Yahoo! site (like BT Yahoo! or Yahoo! India). To be safe, look for these other clues to make sure you’re on a genuine Yahoo! sign-in screen.
That’s a mouthful of silliness. Let’s break it down.
My powerful seal tells me when I am on a valid Yahoo! site, but sometimes he doesn’t? How could that be? Oh, cookies might have been deleted. We all know seals only stick around for the cookies. But, aren’t we supposed to be deleting our cookies from time to time for security reasons? What kind of internet security system almost encourages users to never delete their cookies? Oh wait, maybe the cookies are fine. Maybe we are just on Yahoo! India. But, Yahoo! India looks a lot like Yahoo! America. I would be willing to bet that a phisher could direct somebody over there without them noticing and phish away.
The last line of that quotation needs special mention all by itself. If the seal isn’t going to keep me safe, and I’m still going to have to make sure I’m on a genuine Yahoo! sign-in screen, then what exactly is the seal doing?