« Phishers get personal », web sites and security 101

I read an interesting article about how phishers (that is, people trying to get personal informations about you, generally in order to empty your bank account) try more advanced techniques now. According to the articles, they feed various websites’ login forms and password remainder pages with various email addresses, hoping to get results that’ll tell them whether said email address is registered.

« This login does not exist ». « You can’t register as foo@bar.com, this login is already existing ». « Wrong password ». Such error messages disclose the fact that said login exists, reducing greatly an attacker’s field of investigation. Most security oriented people now since long that when the authentication fails, one should send back a non-indicative error. This way, it’s not possible to guess anything about the existence of an account. ssh, for example, does that:

$ ssh john@my.server.com
john@my.server.com's password:
Permission denied, please try again.

Now, how to know whether John has an account on my.server.com? No way. Some time ago, ssh’s response varied based on the existence of the account: if it existed, but the password was wrong, it returned ‘Permission denied’ after a timeout, whether if the account didn’t exist, it answered immediately. This has been fixed since long.