funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Nordea Sweden shuts Internet banking due to targeted phishing

From: Steven Champeon <schampeo () hesketh com>
Date: Wed, 5 Oct 2005 10:50:00 -0400
on Wed, Oct 05, 2005 at 11:34:02AM +0200, Florian Weimer wrote:

* Justin Mason:


- Adam Shostack's _Preserving the Internet Channel Against Phishers_,
  http://www.homeport.org/~adam/phishing.html , in which he gives
  4 simple steps that *will* fix the problem.


What is the problem?  "Phishing" or online fraud?


The problem is that Bank X uses Service Y to send its email. If you go
to a Web site https://www.bankx.com to do your banking, but they send
email from onlinebanking () outsourced-bank-mailer net (as many banks, sadly,
do) then there is no way for the recipient to distinguish between scams
and legitimate notices. It doesn't help that given that situation many
have come to rely on logos in HTML email rather than whether the sending
host is under the bank's control. 

The weakness in Shostack's approach is that he only recommends that "all
your Web sites must belong to you, and show up under your domain". He
makes no recommendation regarding the email channel also remaining in
the bank's domain. Yes, the phishing actually happens at a Web site to
which the user is directed by HTML email and a hidden link. But it's in
my interest to prevent email from foo () ebay com coming in from somewhere
that isn't under ebay's control, so as to prevent my users from even
being exposed to the phish email in the first place.
 
-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: