how to implement anti phishing mechanisn for a web application [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 8 years ago.

Improve this question

we have internal portal which we will use for configuration. How to implement anti phishing mechanism 1.which mechanism to use
2.how to use
thanks in advance

Answer 1

Phishing protection are not only at your application level but also by making your users aware of what a phishing is. Even top-noch banks are vulnerable to phishing attacks.

I would suggest you:

• Aware your users by adding a note on what is phishing within your application
• Implement a SSL Certificate to improve the protection on phishing https://www.liquidweb.com/blog/index.php/secure-your-website-ssl-certificates-with-phishing-protection/ (just one more measure, it doesn't guarantee to be bulletproof)

A mechanism i've seen in a few banks is :

• Make the user insert his username
• Show an image only know by him that user chose previously at registrarion.
• Make the user accept that he/she choose that image previously
• Make the user insert his password

This way if a user is a victim of a phishing attack, the attacker must know not just his username but also the image that the user choose.

Also in case the user doesn't exists you should set up a fake image so you prevent a user enumeration attack.