I’m betting you know someone that you worry about having their identity stolen by going to a phishing site. We all do. Now there is a cute little game to help educate them:

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
Anti-Phishing Phil was developed by members of the CMU Usable Privacy and Security Laboratory with funding from the US National Science Foundation (Cyber Trust initiative) and ARO/CyLab.

OK, so the game isn’t so much “fun” as it is “cute”. However, it is a step in the right direction in terms of educating people.

Peter’s post yesterday about Wish-It-Was-Two-Factor authentication reminds us why educating the public about strong authentication is so hard. It’s because banks are lying to their customers.

“You know it’s really us—when you see your SiteKey, you can be certain you’re at the valid Online Banking Web site at Bank of America, and not a fraudulent look-alike site. Only enter your Passcode when you see the SiteKey image and image title you selected.”

Actually, that’s not the case as a successful attack was made public in April of this year.

Our friends over at worse than failure have posted a pretty funny article about implementing “bank-level security”.

The idea behind Two-Factor authentication isn’t too complicated. Simply (1) verify that a user knows something, and (2) verify that he physically has something. This could be done with a (1) name and password, and (2) one of those key fob things or even a print-out of one-time use codes.
Banks, however, weren’t too happy with the requirement of implementing such “costly” changes and instead chose to invent the Wish-It-Was Two-Factor authentication. In this method of authentication, they (1) verify that a user knows something, and (1, again) verify that a user knows something else.

Two-factor security does not mean you know your password and your high school mascot; it means you know something and have something. Hopefully the FFIEC will consider holding banks more stringently to their standard.