Bent Stigsen wrote:
> "Michael Vilain <vilain@spamcop.net>" wrote:
> > In article <4167d104$0$290$edfadb0f@dread14.news.tele.dk>,
> > Bent Stigsen <ngap@thevoid.dk> wrote:
> >
> >
> >>mammothman42@hotmail.com wrote:
> >>
> >>>i've copied my bank's login form and saved a copy on my computer.
> >>>However when i try to submit it, i get a 405 method not allowed
error.
> >>>Can't for the life of me figure out why, it's posting exactly the
same
> >>>data from exactly the same html code. Any ideas? It's a https
(SSL)
> >>>site.
> >>
> >>First a little speech. When you got the error "method not allowed",

> >>didn't some bells and whistles go off in you head, followed by a
thought
> >>of "the bank probably doesn't want me to be doing this". Obviously
they
> >>are doing some additional checking to prevent misuse, not just to
annoy
> >>people.
> >>
> >>Anyway, if you just copied the form and changed action to point to
the
> >>appropriate page, then the first obstacle is the
referer[sic]-header. I
> >>dont know of any ordinary browser which lets you fake that header,
but
> >>you can try cli-type webclients like wget and curl to explore that.
> >>They (the bank) might require an ongoing session or kind of
checksum, so
> >>you would need to check for an id or other data in cookies, url or
> >>hidden form-fields, which was related to the original loginform. I
think
> >>both wget and curl can help you there.
> >>And there can be other "things".
> >>
> >>As you probably suspect, anyhow they have done it, you would
probably
> >>need to write a mediator-script between your local form and the
bank's
> >>webserver. PHP has curl extensions which is useful for this
purpose.
> >>
> >>But seriously, check with the bank first. If they dont mind, they
could
> >>give you the information you need. If they do mind, then you
shouldn't
> >>be doing it in the first place.
> >>
> >>/Bent
> >
> >
> > Gee, Brent. That was great. You just told someone how to setup a
> > phishing scam.
>
> Well, the way I see it...
> <rant>
> Keeping something a secret will not protect anybody. And this is just

> too easy for anybody to do. The only difference is, if they are smart

> enough to avoid getting caught. And the smart ones probably know this
in
> the first place. I think beating some decency into people, instead of

> keeping secrets is far better.
>
> About security and phishing. Banks and others who require tight
security
> really needs to do other "things" as I hinted. If they dont, then
they
> are a joke. In general if people got over this sense of false
security
> and where more alert, and service providers took it more seriously,
then
> phishing would be dead.
>
> Secrecy has never ever been a substitute for security.
> </rant>
>
> Dont get me wrong though, like you, I am also worried about people
being
> scammed, but I just think that in the long run this is better.
>
> /Bent