Re: [HV-PAPER] Anti-Phishing Tips You ShouldNotFollow

["Mike Nice" <niceman () att net>]

1) Any different social engineering besides "login to your bank
account".  For example, "Chase will pay you $20 to fill out a short
survey!"  (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).

   This should be tip #5, back to the old 'don't click on anything from 
your bank in an E-mail - for any reason'.

3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)

  Tip #4 works precisely because it defeats pharming, MITM and type-alike. 
The Cert box is nearly impossible to spoof because you would have to spoof 
the actual bank's certificate.  Any error and your browser will pop up a 
warning dialog that the host name on the SSL cert doesn't match the name of 
the host.    That's only assuming that some corrupt CA hasn't issued a 
second SSL cert for the real bank host name.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/