The current phishing attempts are ludicrously easy to mount, and they are this ludicrous because the current web’s security model is fundamentally broken.
If Joe Q. Random discovers a new site (maybe a forum site dedicated to discussing cats — Mr. Random is a big cat afficionado), he needs to create an account. He creates a username, and a password, and will be asked to supply an e-mail address to confirm the registration. Random does so.
Now, all someone needs to do to get Random’s credentials is to fake a Realistic Mail from SillyCatForum.com saying “someone has responded to your message. Click <here> to read the reply.” Random clicks, and is presented with the login screen. Random enters his credentials. What R. didn’t notice was that the link actually went to hackersrus.com. But two seconds later, he’s on the real SillyCatForum.com, mildly bemused by there not being a response to any of the messages. “Maybe someone deleted it, or something”, thinks Random, without a thought. Random’s cat-forum credentials are now in the hands of Hackers’R’Us. Security — failed. Faking the realistic e-mail is a child’s play — all someone from Hackers’R’Us needs to do is to create two accounts, reply from one to the other, and presto!, copy’n’paste the e-mail.
“Why is Random clicking on things sent to him in the e-mail?” cry all those holier-than-thou security experts. Because, they seemed to have forgot, the web has trained him to do it. E-mailed links is the normal notification mechanism on the web.
How can we solve this? Simple, do away with passwords.
All sent links should contain “credential information” which will auto-log the user. If the user needs to log in, he can click for “send me credentials”, which will send him a credentialed link. E-mail providers can ask for a cellphone number, to which they will send a one-use (ONE USE) code, which will log the user in. They can also, on creation, ask for an address they can snail-mail a one-use code, in case the user loses his cellphone. (Naturally, you might have to pay for that — but on the off-chance that this happen, to your primary e-mail address, paying 10$ to restore it should be within the means of most people.)
Of course, most sites should not even need that much. Just offer the chances of a Facebook Connect/Open ID log-in, and don’t even try asking for a “credentials”. Let someone else handle credentials for you.