Although many have talked about possible responses to and defenses against the scourge of Phishing sites, it wasn't until today that I actually saw a site begin to actively fight back. Sometime recently, Yahoo! made a small but terribly important change to their login screen which I think will soon become widespread. Certainly every bank with an online site should copy Yahoo! instantly...
Successful phishing relies on the fact that phishers know that real web sites look like and can easily produce fake (phishing) sites that look just like the real thing. But, now you can customize your Yahoo! login screen so phishers can't possibly know what you think the Yahoo! login screen looks like. They can't know what it looks like because the real Yahoo! screen will display a "secret" shared only between you and Yahoo!. This secret, which is either a bit of text or an image, is something that you choose and then send to Yahoo! for display whenever you're logging in to the real Yahoo!. Once you've shared you secret with Yahoo!, then whenever you see a Yahoo! login screen that doesn't display the secret, you should be alerted that you may be on a phishing site.
I've put some example Yahoo! login screens in the right margin. At the top, you'll see what the new default login screen looks like at Yahoo! Below that, you'll see examples of the same screen modified to show either a text secret or an image secret.
I'm sure that others who follow events on the web more closely than I have will be able to say that they've seen this sort of thing before. Certainly, I'm aware that the technique has been discussed for quite some time and that there have been previous uses, but this is the first time I've actually seen it used on a production site that I use. Wonderful!
While there are many other things we can do in the battle against phishing and while this technique is known to have some weaknesses, I still hope we see use of this technique spread across the net like wildfire. Every bit helps.