Anit-phishing "phrase" ineffectual on some markets?

I notice that some markets, like Agora for example, have an anti-phishing phrase that they show at the top of the screen. But they don't show the phrase until after you have entered your username and password, so unless I'm missing something, this is completely ineffective. Couldn't a phishing site present a fake login screen, then take your username and password and log into the real site via script, then read your secret phrase and present it back to you on the phishing site?

The way banks, etc... do it is, you enter your username, and one piece of secret information (like account number), then you are taken to a second screen that shows your anti-phishing phrase, then you enter a second piece of information (like your password). However it actually works, if you allow the user to enter their password before showing the anti-phishing phrase to validate that they're at the right web site, then I don't think the anti-phishing phrase is actually doing anything.

I think the situation is slightly better if the user has PGP authentication turned on. This way, the phishing site cannot log into the real site to scrape the secret phrase and the user should be warned that they are not on the correct site even if the phishing site fakes a successful PGP response.


Comments


[1 Points] tom_team:

Sometimes hackers proxy a whole site. They act like a man-in-the-middle and they only listen the usernames/passwords and replace the bitcoinaddresses.

What would be a solution....