Thursday, December 21, 2006

Yahoo! Sign-in Seal - what exactly does this accomplish?

I'm no security expert here, but I like to think things through. Yahoo! has a feature which is, it seems, a few months old. But it's new to me. It allows you to create a custom image - here I've made one that says "yahoo sucks!" - and every time you access a Yahoo! login screen, you see the image and know it's legit.

It took me, as a semi-regular Yahoo! user, a few months to even notice the little plug for this feature on the Yahoo! login page. I don't often look around at the various graphics on login pages, since they're usually cluttered with ads and help for users without accounts. Now that I've set a witty statement as my sign-in seal, I may notice it more. But if it didn't show up, or an error displayed where the sign-in seal used to be saying "sign-in seal temporarily unavailable", would I suspect a phishing scam? Would most users?

Yahoo! uses some interesting methods to store the reference to the image. I was at first concerned that simply deleting cookies or the browser cache would result in a broken seal, but Yahoo! took precautions.

But Yahoo! doesn't seem certain about the reliability of their security feature:

What if I don't see my sign-in seal?

You could be on a fraudulent site, but there might be other reasons why you can't see it. For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you're using a partner or international Yahoo! site (like BT Yahoo! or Yahoo! India). To be safe, look for these other clues to make sure you're on a genuine Yahoo! sign-in screen.

Yahoo! is too quick to list other explanations to the missing sign-in seal. If a user has taken the time to look up Yahoo!'s help information about their missing seal, the company could at least provide them with a link to some more information on phishing and how to avoid being scammed. This brief explanation contains no links, nothing to do other than "look for these other clues" and then log in and hope for the best.

How much phishing has this sign-in seal prevented? Probably not much, if any at all. Quite telling is the little pop-up message (shown above) asking if that's your sign-in seal. Phishing sites won't bother to put that little pop-up message in, and that's the only time when users will need to see that message.

No comments: