Dealing with Phishing 168
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
Security Skin (Score:3, Interesting)
it doesnt help when (Score:5, Interesting)
Drive-by-downloads (Score:3, Interesting)
The more you think you know... (Score:4, Interesting)
The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?
Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.
GMail's filters failing? (Score:5, Interesting)
Is google getting worse or are they getting better?
Bad analogy (Score:3, Interesting)
Re:Unpredictable (Score:2, Interesting)
Re:it doesnt help when (Score:5, Interesting)
And this, kids, is why you should never outsource your email.
In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.
(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)
The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.
I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.
Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.
IP-based Secure connections? (Score:3, Interesting)
Re:PDF, Not Plugin Link (Score:3, Interesting)
I didn't see it the first time I reset firefox. I played with some of the settings, restarted Firefox again and it was working.
But after getting it working, it is a pretty neat addin.
Collaborative filtering works much better (Score:2, Interesting)
Why no S/MIME? (Score:3, Interesting)
Mozilla Thunderbird does S/MIME. Mac OS X Mail does S/MIME. Lotus Notes does S/MIME. Even Microsoft Exchange does S/MIME.
Sure, it wouldn't solve the problem, but it would at least give clueful users a dead easy way to see if the e-mail was really likely to be from their bank.
While we're on the subject, when is Gmail going to support S/MIME?
Obvious, simple anti-phishing solution? (Score:5, Interesting)
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"
Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.
Re:Unpredictable (Score:3, Interesting)
Re:Half-azzed study (Score:3, Interesting)
BoA's servers haven't been touched yet, just the phisher's. Once the phisher recieves this info, they make a query to BoA's servers and input the info that you've given them (the username and state). BoA sees that you're logging in from a new IP and sends a question along to the phisher. The phisher then displays that question in the page that they send to the user. To the user, it just seems like his bank took longer to display the security question than they normally do. The user puts in the answer and sends it (unknowingly, of course) to the phisher, and the phisher sends it to BoA. BoA sends back the image, which the phisher sends to the user.
All the user sees is: Login Page -> Question Page -> Image Page. Perfectly ordinary, if slightly longer loading times. And since the phisher is the only one ever talking to BoA, there is only one security question ever asked. As far as BoA is concerned, the phisher is a perfectly normal user authenticating properly.
The few things that can stop this are:
- the user paying attention to the domain name
- the security cert not being signed by a root cert authority and the user paying attention to the warning that pops up
- some anti-phishing plugin (like the one discussed here or many others available)
Of course, I'm sure some string of vulnerabilities can disable all these protections. Not to mention plain incompetence on the part of the banks. It could be my memory playing tricks on me, but I think I've seen banks forget to update their certs for a day or two after they expire. At that point, you just use the phone bank until they get their act together I guess.
Re:What bothers me is... (Score:3, Interesting)
By and large, these people are the mob. Russian organised crime is into spam and phishing in a big way, and several of the other groups are getting in on the action. And it's no easier to shut them down today than it was a hundred years ago. They're using bribery, blackmail, pressure on the government from their semi-legitimate sides, and all the other usual tricks. When some of them finally do get arrested, they're always sacrificial pawns; another bunch of people is immediately set up to replace them.
There are a few people out there doing this stuff on their own, but to make money from phishing you need a way to convert a long list of credit card numbers into money - it's far better suited to organised crime than to rogue asshats.
Re:Obvious, simple anti-phishing solution? (Score:3, Interesting)
Suddenly, they stopped doing this around March 2005. I haven't a clue why.