Forgot your password?
typodupeerror

Dealing with Phishing 168

Posted by CmdrTaco
from the god-i-wish-someone-would dept.
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
This discussion has been archived. No new comments can be posted.

Dealing with Phishing

Comments Filter:
  • PDF, Not Plugin Link (Score:5, Informative)

    by christopherfinke (608750) <chris@efinke.com> on Wednesday June 28, 2006 @12:08PM (#15621690) Homepage Journal
    Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).
  • Unpredictable (Score:5, Insightful)

    by neonprimetime (528653) on Wednesday June 28, 2006 @12:11PM (#15621717)
    The only thing an attacker can't simulate is an interface he can't predict.

    This will be the key when designing sites in the future.
    • by Penguinisto (415985) on Wednesday June 28, 2006 @12:20PM (#15621786) Journal
      ...coming soon! a ubersecure site that uses Arcnet for its internal network and a small IPX/SPX DMZ! Then every odd week, we switch it all to AppleTalk internally and Banyan VINES in the DMZ - they'll never see it coming!

      (Of course, no one will ever be able to get anything done, but the geek factor would be impressive if you could actually make a 'musical protocols' plan work...)

      /P

    • So... should we look to sceneagers' (scenester teenagers) myspace pages for some examples? The future of web design!!!... it hurts my eyes :(
      • sceneagers

        Can I pay you to never say that word again?

        • You mean sceneagers?

          Of course you can pay me never ever to mention sceneagers again.

          Lemme see...

          1. Put sceneagers in your sig.
          2. Demand money to remove them.
          3. ??? (Obligatory)
          4. Profit!!11threepluseight

          Better than the bunny.

    • Re:Unpredictable (Score:2, Interesting)

      by curecollector (957211)
      Some sites have started to adopt a similar approach, albeit not to such an extent. Bank of America, for example, asks for your login on their front page, which then forwards you to a separate page, displaying a user-selected icon (chosen from maybe 20 choices, if memory serves), and then asking for your password. Still, it's not perfect as your account number/login is typically your ATM/debit card number...
      • Re:Unpredictable (Score:3, Interesting)

        by tylernt (581794)
        displaying a user-selected icon
        Heck, why not allow a user to upload their own image (perhaps even a photo of themselves). If you store the image on the legitimate website's server, even a phisher exploiting a UI, browser, or cookie vulnerability wouldn't fool the user.
        • OH ya, sure.

          Attention Customer, due to a security breach, many of our customer's security images were compromised. Please select a new image below, and enter your password to set this new image as your new login image. We are dedicated to helping our customers stay secure.
    • Yeah, you've seen examples of this before. If you're a Linux or Mac user, I'm sure you've seen pop-up windows or advertisements that feature the default Microsoft XP blue window manager colors with the red X for 'closing' the Window (which is just like a window.close statement)...

  • I can agree that while something like this could help those who are not knowledgable about such things in the digital world, I wonder if perhaps we should be taking steps back to make sure people actually stay informed of such dangers.

    For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors", since logically only "female connectors" should work anyway. Now it
  • Security Skin (Score:3, Interesting)

    by christopherfinke (608750) <chris@efinke.com> on Wednesday June 28, 2006 @12:12PM (#15621726) Homepage Journal
    Looking through the PDF linked, I see that the plugin uses some visual hashes as browser backgrounds in trusted situations, but I wonder if there is an anti-phishing extension that would alter the color of the main background of the browser chrome for possible phishing sites. For example, a light-green would be trusted, but variations through a fire-engine red would indicate a possible phishing attempt.
  • it doesnt help when (Score:5, Interesting)

    by future assassin (639396) on Wednesday June 28, 2006 @12:17PM (#15621757) Homepage
    legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

    Capital One(R)--what's in your wallet?(R)

    Your Capital One statement is ready.

    RE: Your account ending in 0000

    Your current Capital One statement is now available for viewing online. Simply log in to Online Account Services and click the My Statement tab.

    Log in now at http://capitalone.bfi0.com/ [bfi0.com]

    Is all your information reaching you?

    To help ensure this time-sensitive message reaches your inbox each month, add the Capital One address that appears in the "From" line above to your electronic address book. This is especially important if you or your service provider use e-mail filters.

    Use our web site as a resource for information and to access a variety of consumer lending products and special services. Add http://capitalone.bfi0.com/ [bfi0.com] to your bookmarks, so you can come back easily and often.

    Thanks for using Capital One's Online Account Services.

    Important Information from Capital One

    This e-mail was sent to me@mydomains.com and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

    The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

    Capital One and its service providers are committed to providing meaningful privacy protection for their customers. To protect your privacy, please do not send sensitive account information through e-mail. For information on our privacy policy or how to contact us, please visit our web site at http://capitalone.bfi0.com/ [bfi0.com]

    If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

    • by Tackhead (54550) on Wednesday June 28, 2006 @12:41PM (#15621974)
      > legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

      And this, kids, is why you should never outsource your email.

      In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.

      (And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)

      The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.

      I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.

      Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.

    • I don't know about you but all my capitalone emails link to email.capitalone.com your getting screwed :)
    • And it's so legit it now gives a blank page to firefox.
    • Capital One, and everyone else, should either links to the company's known homepage, or to an https:/// [https] address. This way, the end-user can easily verify the link's legitimacy. There is no reason for Capital One to send their e-mails' links through the bfi0.com domain.
    • by vinn01 (178295) on Wednesday June 28, 2006 @01:04PM (#15622174)

      I swear that some marketing departments get their e-mail designs from looking at spam. I've have seen some legit corporate e-mails that look so close to previous phishing spam that you would think that they did it on purpose.

      The only explanation that I can think of is that they see the phishing spam e-mail, think that it's from their own company, and then design new e-mails to look the same.

      Doubt it? We're talking about the marketing department....
    • Admittedly off-topic, but you might want to look into ditching any CapitalOne credit cards you have. They've been using a somewhat questionable reporting practice recently of only telling how much you have on your card to the reporting agencies, rather then the amount you have and your maximum. The credit agencies, with only the one number, assumes it to be both your current limit and the amount you're using - in other words, that you're using 100% of your credit. This can really screw your credit score.

      (If
    • The security problem has much to do with marketing. Banks made a number of critical mistakes when they first started online banking, mostly having to do with using email as a semi-secure communication link. I would recieve emails from my bank, and would write back asking how I knew it was from then and not a third party. They said the email.

      But really banks have been compromising customer security to maximize profits for years. For instance, banks will license thier logo to third parties for advertise

  • Drive-by-downloads (Score:3, Interesting)

    by Itninja (937614) on Wednesday June 28, 2006 @12:18PM (#15621768) Homepage
    So this may help one realized that they are not on the actual Paypal/Citibank/Ebay site, and they can leave before they enter their personal information. But many phishing sites have already done their damage by that time, via a drive-by-download; install all forms of malware and spyware in just a few seconds.
  • by The MAZZTer (911996) <megazzt@@@gmail...com> on Wednesday June 28, 2006 @12:20PM (#15621791) Homepage
    for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.

    Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!

  • by Lord of Hyphens (975895) <lordofhyphens&gmail,com> on Wednesday June 28, 2006 @12:20PM (#15621793) Homepage
    Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.

    The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?

    Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.
  • by DAldredge (2353) <SlashdotEmail@GMail.Com> on Wednesday June 28, 2006 @12:20PM (#15621798) Journal
    Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.

    Is google getting worse or are they getting better?
    • Google's filter (like any good spam filter) is adaptive. Spammers/phishers figure out a way to get their stuff through, a bunch of people mark it as spam/phishing and the filter learns that those messages are spam/phishing. You'll probably see the exact same messages hitting your spam box in a couple weeks.
  • by Jimmy King (828214) on Wednesday June 28, 2006 @12:21PM (#15621800) Homepage Journal
    While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.

    The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
    • The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.

      The problem is that people are allowed to control a dangerous vehicle in public spaces without any form of training. Ineffective as they are, driving tests at least ensure that people
  • Bad analogy (Score:3, Interesting)

    by KerberosKing (801657) on Wednesday June 28, 2006 @12:25PM (#15621835)
    The thought that an average user will personalize their web interface like they personalize their celll phone doesn't fly with me. If that were true, we would see copies of Tweak UI on a lot more wintel boxes. Everyday people would be replacing the explorer shell with LightStep. I don't see that happening. About the most personalization I have seen is people putting up a picture of their girlfriend or baby up as desktop wallpaper. Geeks use custom tools, but most geeks are savvy enough about phishing to not fall for it.
    • Moreover personalized web pages can only start after you logged in (because only then the server will know whose personalized look it shall display). But at that time, you already have typed your password or PIN.
    • TweakUI is bad comparison (the response times for mouse events, mini arrows on shortcuts?),
      LightStep is a bad comparison (putting Linux on an ipod?). The right comparisons are ipod
      socks, windows themes and color schemes (or the screensavers, etc. that they alreay listed).
  • Half-azzed study (Score:3, Informative)

    by Jonboy X (319895) <jonathan.oexner@nosPAm.alum.wpi.edu> on Wednesday June 28, 2006 @12:26PM (#15621848) Journal
    From TFA:
    We conducted a usability study where we showed 22 participants 20 web sites and asked them to determine which ones were fraudulent, and why...Our participant population was highly educated, consisting of staff and students at a university. The minimum level of education was a bachelor's degree. Our population was also more knowledgeable than average, because they were told that spoofed websites were in the test set. They were also more motivated than the average user would be, because their task in the study was to identify websites as legitimate or not.


    So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.

    For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.
    • Re:Half-azzed study (Score:3, Informative)

      by Zardus (464755)
      See, the BoA approach always confused me. By the time you see that picture you've already entered your login ID, and your login ID is all it takes to see that picture. Now, if the phishing site already knows that ID (since there is no picture or anything to prevent you from entering it at this point), why can't the phishing site just hit up BoA for that picture and present it to you?

      In some cases BoA asks you a security question, but that's the same problem with that. Phishing site hits up BoA for the quest
      • Hmmmm ... thinking along those lines, the phishing site could just be a proxy forwarding everything to the legitimate site and back, but just storing the interesting data like passwords.
      • I could be wrong about this but I think they go by your IP address. If you use your user id from a new IP address, you'll be asked one security questions out of three security questions on your account profile. You'll only be shown the SiteKey if get the question right. How would the phisher be sure his script would get the same question from the BofA website.
        • Re:Half-azzed study (Score:3, Interesting)

          by Zardus (464755)
          Well, it'd be a setup like this: you get an email sending you to http://bonkofamerica.com/ [bonkofamerica.com] (notice bonk instead of bank) telling you to login quick to fix something or other. You go there, enter your user ID, select the state that you got your account in, and click login.

          BoA's servers haven't been touched yet, just the phisher's. Once the phisher recieves this info, they make a query to BoA's servers and input the info that you've given them (the username and state). BoA sees that you're logging in from a n
    • For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.

      Do they let you upload your own picture, or do you select from a list of what they provide? If the latter, then the phishers know what the stock photos are. Say there are twenty of them. The phisher picks one. He may have eliminated 95% of the p
      • Do they let you upload your own picture, or do you select from a list of what they provide?

        Unfortunately, it's the latter. Though they do have several hundred images to choose from.

        Plus there's another layer before phishers can retrieve your image based on your login name. If the site doesn't recognize your browser (via a cookie or set of cookies) it will ask a challenge/response question first, *then* it'll show you your chosen image and manually-entered caption. By default it will forget the browser, s
    • Sorry if the language of my OP was a little flamish. That wasn't my intent. I guess I should clarify the points I was trying to make:
      1. A sample of 22 people is, IMO, too small to credibly demonstrate this phenomenon.
      2. The fact that the test group is college students and staff and not just your average Internet users probably doesn't add to the relevence of the study either.
      3. The study doesn't test the effectiveness of the Firefox plugin being promoted. It just shows that this particular group of people aren't
  • by scolby (838499) on Wednesday June 28, 2006 @12:31PM (#15621878) Journal
    Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.

    In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
    • by Anonymous Coward
      It's true there is always a way around things, and though the example with the image selection that Bank of America uses (and similar implementations at a handful of other financial institutions) is not completely foolproof, it significantly more secure than a financial institution that does not use such a system. BofA and the other banks know this - Phishers are more likely to target the customers of a bank that hasn't re-educated its userbase on their new login will work, and why.

      When someone goes fishin
  • by azav (469988) on Wednesday June 28, 2006 @12:32PM (#15621902) Homepage Journal
    Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.

    If we are, why are we not hearing about it?

    I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.

    Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?

    ??
    • Breaking some knees might be more effective. Why? The Internet is the equivalant of the Wild West. Anything goes. Laws are a very sticky thing where virtual territory is concerned. Since the Internet is a vast largely unregualted affair, getting laws in action don't do much since there isn't a white suited sherriff with an ivory handled Colt walking around keeping the bad guys in line.

      But then again, we all know what happened when someone tried to take the law in their own hands. Look at Blue Securi

    • tell the RIAA that they're sending out mp3s...
      or tell the FCC that they're sending out pictures of boobies...
      that'll get something done about it.

    • Organized crime is notoriously difficult to fight in the first place. When the criminal syndicate is overseas, all the problems of cross-border law enforcement collaboration pop up. To make matters even worse, quite a few botnets and phishing scams trace back to corrupt countries where the police are in on the racket. I do not recommend flying to Belarus and trying to break the knees of someone who has an under$tanding with the local gendarmes.
    • Become rich and hire the mob to find these people and break some knees?

      By and large, these people are the mob. Russian organised crime is into spam and phishing in a big way, and several of the other groups are getting in on the action. And it's no easier to shut them down today than it was a hundred years ago. They're using bribery, blackmail, pressure on the government from their semi-legitimate sides, and all the other usual tricks. When some of them finally do get arrested, they're always sacrificial pa
  • If the idea is to skin a user's page on a given web site where they might be phished (like a banking web site), then it won't really help, because the proper skin can't be applied until after a user has logged in, and by then it's already too late! I suppose it might be possible to store that in a cookie, but that would assume that the user never connects from a "fresh" computer that hasn't been used with the site before. And then there are the redirection attacks which make use of a bug in the web site i
    • I just RTFblurb... the point was to have the browser do skinning based on the web site being visited. Which still doesn't help when the user is not using his/her normal computer, and still takes effort to set up the skinning.
  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday June 28, 2006 @12:35PM (#15621928) Homepage Journal
    That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?
  • by Billosaur (927319) * <`wgrother' `at' `optonline.net'> on Wednesday June 28, 2006 @12:51PM (#15622056) Journal

    Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.

    There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."

    Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.

    Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.

  • how much intelligence and technology has to be applied to reduce the effects of people's stupidity. The more stupid/gullible/apathetic/lazy people are, the more sophisticated/integrated/processor-and-storage-int ensive applications have to become. Maybe we're just enabling people's stupidity by doing this. Eventually, as people's intelligence goes to zero, the number of processor cycles to protect them from themselves will become infinite.
  • by guruevi (827432) <(eb.ebucgnikoms) (ta) (ive)> on Wednesday June 28, 2006 @01:04PM (#15622166) Homepage
    How about using the same technique SSH uses: If you come on a site that has the same IP but with a different key or the same key with a different IP: BIG WARNING THAT THIS SITE OR THE COMMUNICATIONS IS POSSIBLY COMPROMISED and provide a link to customer support in case that happens. SSL Certificates just check whether your communications is securely established and I won't examine that certificate everytime I connect. When you want to do Internet banking or something similar, your bank should give you a key on a read-only USB disk or something and the possibility to boot a Damn Small Linux from that disk. My bank did that for a while, but I guess they fell back on just providing the key probably because of the support issues with DSL and xDSL, USB Modems, Winmodems and other crap like getting the VPN through the users' firewall and you had a browser but couldn't go anywhere but the bank's sites. But I have another bank account that just requires a username and password and you're not even on the secure part by then. How dumb is that? I avoid using my Internet banking just for that. The people at the branch sometimes ask why I don't do those simple things (like transferring money) through their site. I am running only Mac and Linux but still I don't want anyone connecting because they keylogged my password - some users might have troubles putting a good password in the first place (insert oblig. spaceballs password quote here). My webmail is more secure than their site (RSA SecurID key required for that), so they could at least do SOME effort like giving me something similar to SecurID for their site.
  • Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

    I find it interesting that those examples grew from technological necessity. We used to need screen savers because our ancient monitors would burn in the image otherwise. We needed changeable ringtones because everyone in a crowd would have to check their phone if one was heard ringing. Some of u

  • End users cannot distinguish well between legitimate sites and phishing sites. Adding in sugar such as the date of the user's last login is helpful only as a positive reminder that the user is on the right site. It's better than nothing, but not by a factor of 10.

    Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increas
  • Unless this is a highly targetted and customised phishing attack. Collaborative filtering like cloudmark [cloudmark.com] works amazingly well. You can stop a phishing attack spread within a few minutes. Here is more info on collaborative filtering [stason.org] or google for it.
  • On several fronts...

    I think it is a interesting to see that researchers are trying to find ways to get Joe/Jane user to recognize that WYSINWYG with every website they visit. So maybe there are a few flaws in these folks' ideas... but they're trying to get education out (at least, on some level).

    Educate yourself about the changing face of phishing. Help other folks by helping them understand phishing. Don't hesitate to try to find a way to reduce phishing.

    Report phishing... if you can report it to the
  • Spoof Proof? (Score:4, Insightful)

    by sqlrob (173498) on Wednesday June 28, 2006 @01:25PM (#15622344)
    She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces

    We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.

  • Why no S/MIME? (Score:3, Interesting)

    by metamatic (202216) on Wednesday June 28, 2006 @01:49PM (#15622572) Homepage Journal
    What I want to know is why none of these dumbass banks use S/MIME to sign the e-mail they send out.

    Mozilla Thunderbird does S/MIME. Mac OS X Mail does S/MIME. Lotus Notes does S/MIME. Even Microsoft Exchange does S/MIME.

    Sure, it wouldn't solve the problem, but it would at least give clueful users a dead easy way to see if the e-mail was really likely to be from their bank.

    While we're on the subject, when is Gmail going to support S/MIME?
  • by Jester99 (23135) on Wednesday June 28, 2006 @01:53PM (#15622615) Homepage
    Maybe somebody could explain to me why this wouldn't work. It's trivially simple to implement.

    When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?

    Then every email they send to you, they include that string in the subject line.

    e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"

    Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.

    • Because email is sent in the clear?
      • True. So if a phisher owned a server between your bank and you, they could certainly make use of their man-in-the-middle status.

        But I was under the impression that most phishers were just using spam-style tactics to carpet bomb as many people with emails as possible. For them to subvert this mechanism via a MITM attack, they'd have to a) own a server that your data relayed through, b) parse the mail headers to determine if it's actually something they have a phish set up for, and c) maintain a database of e
        • But it's not random. Once this becomes common all you have to do is to start listening outside
          of a bank. Not only do you then have the ability to target only actual customers when phishing
          (yeah, um I totally forgot about my account with the Bank of Bangkok), but you get their
          safewords too.

          If you wanted to do something like the original idea, but slightly more convoluted, is to give
          customers an OTP with strings to tick off as they receive "official notices" from the bank.
          Granted, you could not (safely) autom
    • by erice (13380)
      When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?

      Then every email they send to you, they include that string in the subject line.

      You can actualy go one better today, without telling your bank what you are doing.
      Give your bank a unique email address. Never use that email address for anything else.

      The odds of getting a phish on that
      • Did anyone ever figure out what happened to gmail accepting username+handle@gmail.com?

        I tried to use that for filtering, and it worked -- for about a day. After that, mail to username+handle wasn't delivered to me anymore.

        I'd use something like that for filtering but I can't :(
    • Bank of America did this for a while. The first line of any e-mail they sent to you was "Authorization Phrase: %s", where %s was the phrase that the user entered on the website when entering their e-mail address.

      Suddenly, they stopped doing this around March 2005. I haven't a clue why.
  • She? (Score:2, Funny)

    by FurryFeet (562847)
    This story is useless without pics.
  • A simple solution (Score:4, Insightful)

    by GeorgeVW (599773) on Wednesday June 28, 2006 @02:56PM (#15623140)
    Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.
  • by abb3w (696381) on Wednesday June 28, 2006 @03:13PM (#15623246) Journal

    FTA: Participants proved vulnerable across the board to phishing attacks. In our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.

    No check for "familiarity with elementary principles of cryptography" giving a correlation. I suspect that anyone who recognize the significance of the names "Alice, Bob, and Eve" will probably be far less vulnerable than average.

    I'll also note that while they claim: "There is no significant correlation between the score and the primary or secondary type of browser or operating systems used by participants", their breakdown of participants indicated no Linux users were studied. Of course, Linux users are a weirdo minority, but I would be curious.

  • Phishing works because people are idiots.

    "Ohhh! A monkey is asking for my credit card number. That sounds reasonable and fair!"

    There are those 'surveys' (many posted around slashdot) that want you to pick the phishing attempts.

    Look at any major company- financial institutions, etc- they never send you e-mail. they never ask for your e-mail. You never get credit card info via e-mail.

    This is where paypal went wrong- they depend on e-mail, and for anything that deals with money, there should never be an e-m

Q: How many IBM CPU's does it take to execute a job? A: Four; three to hold it down, and one to rip its head off.

Working...