Microsoft decides to abolish URLs with user names, passwords

The practice, which we have reported on several times, is designed to harvest passwords and access codes to online centres of money management like Paypal, E-gold, Barclay's Bank and Citibank. It is based on a little-known feature of web addresses, which allows the user name for logon to be encoded into the web address in the form http://username@www.webaddress.com/. The 'phishers' send emails to unsuspecting netizens that include urgent entreaties to log in to a certain web site. The emails include clickable addresses in the form http://www.trustedsite.com.bla.bla.bla.bla.bla@evilsite.net/ These addresses, or URLs, are difficult to distinguish at first glance from legitimate URLs actually belonging to a real bank etc.

Life was made more difficult for the potential victims and simpler for the scamsters when a bug was discovered in Internet Explorer that allowed the real URL to be disguised even more effectively. The trick involves inserting a special character that cuts short display of the URL after the spoof web site name. Now only the missing forward slash after the apparent domain name can alert users that they are being tricked.

This bug, since used in an Ebay scam is still unfixed, but now Microsoft appears to be lumbering into action. The plan, detailed here is simply to do away with user names and passwords in URLs altogether. This rather drastic baby-and-bathwater action goes further than merely ensuring that the URL is displayed correctly and in a way that doesn't confuse the users.

Though little-used, the tricky URL form is a recognised Internet standard as documented in various RFC documents. For this reason the developers of other browsers, like Mozilla, don't feel they can simply get rid of it. Instead, the Mozilla developers and a horde of kibitzers have spent almost a year and 156 comments discussing what can be done. Right now that effort has got precisely nowhere and Mozilla users are almost as vulnerable as Internet Exploder users to being hoaxed in this way.

Only web browsing minnow Opera seems to have got it right, with a popup that warns users they they may be on the hook of the phisher. This simple and surely effective solution was clearly 'too obvious' for the big boys of the browser wars. µ

L'INQS
Email attack on Barclays UK customers
Barclays Email Scam: INQUIRER 2, BBC Online 0
Things that are injurious to your computer's health right now
Now Halifax Bank email scam is doing the rounds
Firm claims it plugs Internet Explorer gap
New wave of "Citibank" fraudulent emails arrives
Watch out, it's another fake bank site