Traderoute "personal greeting image" completely meaningless?

It appears Traderoute is attempting to employ some sort of anti-phishing protection by displaying user-specific "greeting images" but this makes absolutely 0 sense because the only thing you need to find out a user's greeting image is their username(which is displayed publicly for vendors).

Here, I'm retrieving the "greeting image" for vendor "Sunny987"(they're the top vendor according to the traderoute sidebar, nothing personal): image

Sure, it can be argued that the watermarked captcha on the initial form will deter basic phishing, but this doesn't prevent anyone from scraping popular vendors and going through them by hand.

I don't know if I'm missing the point here or what.


Comments


[7 Points] AgoraMarket:

Ideally, you'd enter your login + password on the same page, then -- assuming you entered them correctly -- the personal image would be displayed along with the PGP decryption page (for 2-factor logins anyway). That would prevent what you brought up.

Although I don't know what benefit there is to gathering random vendors' personal images.


[5 Points] Dontworrybeready:

TR admin's answer:

Showing the image after password input would not help at all as the phisher would already have your password. And getting the PIN would be very easy >as we have seen from past TR's phishing attempts.

You are right that anyone can see everyones images, but this forces phishing campaigns to be directed to each user independently and not >indiscriminately. The problem for phishers is that they don't have a list of all our users, thus they cannot scrape all the images.

Anyway if phishers find a method to hack this we'll improve it further making their efforts futile. We are already implementing the upgrade, don't worry. tradeforumzkw4bk.onion/viewtopic.php?pid=2071#p2071


[2 Points] miototal:

It's not a bad idea. It's to prevent mass phishing. If it's a targeted attack you should be looking out for yourself anyways.

Granted, I guess you could cache every users login image but you would have to get a user list (Vendors wouldn't be hard obviously), but usually phishing only works on buyers which their usernames aren't publicly posted. Vendors always have 2FA enabled (or should...)


[1 Points] DNMUK25:

There's a lot of things about trade route that just don't add up!


[1 Points] JburnaDNM:

I think it's a really good idea and should be a good prevention to protect users from phishing attacks, that's if those same dummies who get phished pay attention to the image. I'm not a big fan of trade routes layout though, but that's a whole other topic.


[1 Points] Mandy-More:

If I was a vendor, I would make my greeting image an emoticon with googly eyes and an arrow going through the head.