What is the best way to stop phishing for online banking? [closed]

Question

Phishing is a very serious problem that we face. However, banks are the biggest targets. What methods can a bank use to protect its self from phishing attacks? What methods should someone use to protect themselves. Why does it stop attacks?

Answer 1

Phishing usually works by directing the consumer to a scraped version of the website. One method that's starting to be more common is a dynamic website, where after entry of username and before entry of password, the bank site reveals some image or phrase chosen by the consumer, which I will call the counter-password. In essence, not only must the consumer present a valid password, so does the bank. Mutual authentication.

The phishing site cannot display the correct counter-passwordwithout querying the bank, and this gives the bank an opportunity to detect, confound, and prosecute the proxy.

This can be enhanced with use of an out-of-band communication channel. If the IP address making the request (which would be the proxy, possibly via onion routing) isn't one the consumer has logged in from before, send the consumer an SMS with a one-time code they must additionally use before the counter-password is revealed and login enabled.

Other methods are for the browser to cache the correct server certificate and tell the consumer when they visit a site without a cached certificate, thus warning the consumer that this isn't the familiar site they've used before.

Answer 2

IMO, the best thing that a bank can do is to educate it's users on when and how they will communicate with them. Many users have no idea about what phishing is and so showing them examples and raising their awareness about fraud will do more than any technical solution (though the technical side should be pursued just as aggressively). A user aware that phishing can occur will be far less likely to fall prey to it.