1. Never give passwords to a third party (so, for example, no Mint).
2. Never give anything more than an email address to someone you wouldn't also give your credit card number to. I only give an address or phone number when I'm planning on buying something.
3. Never log in after following a link. Always log in by manually (either through typing the URL or a bookmark) visiting the site.
Excellent rules and I really think those ought to be pasted to the front of every monitor of everybody that ever fell for a phishing scam, and preferably to the front of the monitors of those that have not yet fallen victim to one too.
Could you/someone who has more knowledge of this than me explain how this is safer (if it is) and then possibly explain if/how someone could hack mint to get my information.
I always thought of mint as just as safe as using online banking, is this very flawed?
Not sure how this works, but the way they describe it they say that they don't really store them, but your internet finance provider stores them and they only access via some credentialing. It does make sense that just adding someone to the equation adds more possibilities for risk
Can you explain (3)? Isn't it enough to check whether you're on the right domain before logging in? Or is this to prevent logging in at an IDN URL that looks like the real URL?
Domain check is good, but can be misread, especially with IDNs. Of course, URLs can be mistyped too and a lot of phishing is based on typos of URLs. So really, in the end, you should always follow a bookmark before logging in.
I trust my password manager. It auto-fills my passwords only on correct domains. When my password manager doesn't work, I'm highly suspicious.
Plus I use passwords that are auto-generated based on domain name, which I copy & paste to the generator. Hopefully this makes me immune to homograph attacks.
There's various reasons that #3 is particularly useful, though I think the original writer was probably more concerned with links in e-mail or links on sites other than the site you're being asked to log in to (such as links from advertisements or other third-party sites):
1) Similarities in the way letters look in certain fonts can cause you to think you're on the correct site when you are not. This is mitigated by EV SSL usually, but if you're not paying close attention you might miss it.
2) Browser exploits (though I'm unaware of any specific ones in current browsers) have commonly focused on tricking the browser into displaying one URL when the page is actually being hosted by another.
3) Links in e-mail, specifically, asking you to "login and update your information" (or "login and sign up for paperless billing now!" is pretty common, especially when combined with some perk). Often these links use redirection to gauge effectiveness of the e-mail campaign, so it's common for the link to look strange. If the e-mail is a phishing attack, that redirection could include code injection resulting in you being sent to the right URL to login, but with malicious code inserted to capture credentials or do other fun and exciting things. Of course, the site would have to have some existing XSS vulnerability on the login page, or the code would have to be attacking a browser/plug-in vulnerability, for you to see the EV SSL indicator properly in the address bar.
The last point is also usually mitigated by extensions like NoScript in Firefox.
I fell for this trick with twitter-alike url. 2 things did it for me. The link was from a friend of mine (of course he didn't know that was phishing site). And, it was a replica of Twitter. To make things worse it was shortened using bit.ly. I realized I made a mistake only after I entered password and hit submit. I quickly logged into twitter and changed my password.
1. Never give passwords to a third party (so, for example, no Mint).
2. Never give anything more than an email address to someone you wouldn't also give your credit card number to. I only give an address or phone number when I'm planning on buying something.
3. Never log in after following a link. Always log in by manually (either through typing the URL or a bookmark) visiting the site.