Michael asked what to tell his sister, who recently visited a webmail site with a similar name to her regular webmail site, and she entered her username and password at the wrong website. This is actually a multi-layered question, and I am trying to cover the different issues related to this.
First of all, in order to avoid falling for typo-squatters, use bookmarks. Using bookmarks to reach trusted sites is probably the safest method. Never click on any e-mail link to reach a trusted site. In addition, avoid typing long and sometimes easy to misspell host names.
If you use a lot of different computers, you could use one of the personalized home page sites. At least, this leaves you with only one hostname to type, the name of the homepage. However, unless you setup your own homepage/web server, there is a problem with privacy. You trust that the site you use to store your links is safe.
A USB stick with your favorite bookmarks may work if you are able to plug a USB stick into the system you are using. Trust is again an issue, as the computer you use may modify the content of the USB stick (could even add a virus). But its probably an illusion to expect secure computing while you use a PC you don't trust. A few people tried to solve this issue, but its tricky (bootable CD is probably the best option, but not everybody will allow you to reboot a PC).
Once you know you fell for a typo-squatting site, change the password you surrendered as fast as possible. Which brings up another important point: Password security. I usually recommend a 2+n password approach:
Lastly: What is a trusted/trustworthy website? isc.sans.org is! I know. I administer it. For all other sites: Decide for yourself. I can't make that decision for you, as I don't know how well the site is maintained.
I mentioned before that the commonly used line "don't visit unsecure web sites" is nonsense.
I will be teaching next: Defending Web Applications Security Essentials - SANS Silicon Valley - Cupertino 2020
May 8th 2006
1 decade ago