Phishing Steals Spotlight at MIT Conference 74
Bob Brown writes "Companies are coping with spam, but phishing is another matter altogether, according to researchers at the annual MIT Spam Conference this week. From the article: "The response rate for phishing e-mails is much higher than for spam, says Paul Judge, CTO of messaging security maker CipherTrust. So while spammers have to send more and more unsolicited e-mail these days, as anti-spam filters get better at identifying and blocking spam, phishing attacks are well enough disguised that a higher percentage get through such filters, and more recipients click on them, he says."
Help stop them, by reporting them (Score:5, Informative)
Also, those of you who use GMail, there is a "Report Phishing" option under "More Options"
Temporary e-mail (Score:5, Informative)
From the article: Among these were a proposal to improve Bayesian filter accuracy, a system for generating temporary e-mail addresses so that a person's preferred address doesn't have to be given out, spam filters based on adaptive neural networks, a new message-verification platform. (emphasis added)
This is called "keyed e-mail". I have used a keyed email system from Zoemail [zoemail.com] in the past and it works very, very well for this purpose. There is some extra time required for managing the keys, but the idea works great for me. (and no I do not work for them... I just think the technology works.)
Why not cryptographically authenticate e-mail? (Score:5, Informative)
If you visit a website and initiate an SSL session, the public-private key cryptography (along with the public root certificates imbedded in your browser) will verify that the website you're visiting is really who they say they are. (Or at least that Verisign thinks they are legit.)
I don't see why companies don't make a similar effort to cryptographically authenticate their e-mail. People use PGP for security advisories etc......, but I don't understand why all e-mail coming from my bank, coming from Paypal etc... shouldn't be signed.
If there was a portion of your e-mail window at the bottom right hand of your screen that said stuff like:
"This is an authentic e-mail from BankOfBlanBlah signed on 3/31/06 at 3:52PM" or "This is an unsigned e-mail. It is possible that this e-mail is fraudulent." or "This e-mail has an incorrect signature. It is highly possible that its contents are fraudulent."
My rough guess that e-mail authentication isn't done because (1) programmers are lazy and sending plain text is easier to program and (2) The way you do e-mail auth in e-mail clients is all different and a huge mess from a usability standpoint.
It might put at least a dent in some of this phishing stuff if people expected all e-mail from e-bay, paypal, their bank, amazon etc... to be signed.