Interesting People mailing list archives
Re: Amex goes phishing
From: David Farber <dave () farber net>
Date: Fri, 23 Jan 2009 09:08:49 -0500
Begin forwarded message: From: Rich Kulawiec <rsk () gsp org> Date: January 22, 2009 9:44:20 PM EST To: David Farber <dave () farber net> Cc: "James J. O'Donnell" <provost () georgetown edu> Subject: Re: [IP] Amex goes phishing On the topic of phishing, and steps companies like Amex can take to mitigate it, here's a re-cast of something I wrote the other day: I'd prefer my bank to not send email which includes any URLs.If they never send any, they can never typo them. (Nor can they do anything
silly with them, such as James describes.) Nor can I typo them, when copying them from email by hand or cut-and-pasting. If I rely solely on the single URL for them I entered -- very carefully, by hand, once --then my chances of ever going to a phish/typosquatted site drop considerably.
To undercut this, an attacker would need to gain control of the placeI've stored that URL, which would require gaining control of my computer,
which would mean that there would be no need for them to bother sending me a phish, because they could just extract the URL/username/password triplet directly the next time I used it. Moreover, if the bank trained all their customers in this -- just like they [try to] train them that they will never, ever ask for a password -- then they'd be training their customers to be phish-resistant, sincethey'd know that any message with a putative URL for the bank is a phish.
And if I might add something to that: one of the other ways to reduce the
attack potential is to reduce the number of phish/typosquatted domains. (A quick check of my data indicates over a thousand just for Paypal, and I'm sure my list is far from complete.) Registrars, DNS providers, web hosts, ISPs, mail providers, etc. should all be using simple regular expression checks to vet new domains signing up for their services, and flagging for human review any that match. ---Rsk ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Amex goes phishing David Farber (Jan 22)
- <Possible follow-ups>
- Re: Amex goes phishing David Farber (Jan 23)