Comments on Norway’s BankID undermines anti-phishing best practices

Be civil and read the entire article first. This is not a support forum. Comments from new contributors are moderated. English only.

Leave a comment

Required. Optional. E.g. your homepage, Twitter. or Email required unless anonymous. Not published or shared. Reuse to be recognized as the same commenter.
Plain-text only. Begin lines with a > character to quote.

I have a similar issues with 3D Secure or whatever it is called for credit cards. Then open in an iframe and ask for a password or token sent via email.

The password case is actually fine on Firefox. The built-in password manager recognizes the domain in the iframe and fills in the password. (so I know that I am being phished if it doesn't auto-fill.) However the emailed token approach provides no security. I have no way of knowing if I am interacting directly with my bank or via a MITM.

> I’m well aware of the problems, yet even I am reduced to blindly trusting that anything that looks like BankID on any website is legitimately BankID.

I know this is not user friendly at all, and I'm not saying users should be expected to do this. But can't you open the frame in another window and verify the address bar there? Or use "inspect element" to check from where the frame is embedded?

Good read! How does VIPPS compare as an authentication service?

Sukil, you can do that, yes. However, the tokens in the URL are one-time, so you can’t use the resulting page.