funsec mailing list archives

Re[2]: The end of Phishing in sight?

From: Pierre Vandevenne <pierre () datarescue com>
Date: Mon, 17 Oct 2005 22:25:21 +0200

Good Day,

Monday, October 17, 2005, 10:04:39 PM, you wrote:

VKve> the phisher can logon to the bank's website.  It doesn't do squat for phishers
VKve> that snag a credit card number and use that to order a bunch of stuff,

True, but that's credit card security, not web banking security. I've
had to revoke three cards since 1994. Two of them after well publicized
hacks (one of them was CDUniverse, the other one the recent big fraud
whose name escapes me right now), one of them after a supposedly
respectable company, recently mentioned here btw, abused it
intentionally). I am sure phishing plays a role here, but I am not
sure it has a lot of impact compared to the early "cc generators" or
the big leaks mentioned above. Exact stats are hard to come by anyway.

VKve> phishers that snag a checking account number and use that to do something
VKve> devious, or phishers that snag an SSN and use it to...

Those things aren't a problem in Europe. ID theft is essentially a non
issue at this point. I'd say the problem is not only technical... but
socio-cultural. I haven't seen a belgian check in the last seven years
for example.

VKve> Ah hell.. What percent of the time *do* the phishers turn around
VKve> and actually  login to the bank's website? ;)

Who knows. But I certainly don't want them to do that with mine. The
damage would potentially be a few orders of magnitude bigger than with
my CC

VKve> the first 6 months we'll see at least one bank will deploy
VKve> something meeting

Ultimately, I am willing to bet most of them will.

VKve> the rules as written, but still totally vulnerable to a MITM attack).

That's the "cream pie" of IT security. Mention any protocol and get
the "is it vulnerable to a MITM attack?" answer. Then receive a wide
gamut of answers from people who once understood the math, but don't
quite remember it... and who don't know the details of the protocol...

But then suspecting it is vulnerable is always a safer bet than the
opposite ;-)


-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Speaking of phishing, (continued)
- - - Speaking of phishing xyberpix (Oct 18)
    - Re: Speaking of phishing Richard Cox (Oct 18)
    - Re: Speaking of phishing xyberpix (Oct 19)
    - Re: The end of Phishing in sight? Blue Boar (Oct 17)
    - Re: The end of Phishing in sight? Justin Mason (Oct 17)
  - Re: The end of Phishing in sight? Chris Buechler (Oct 17)
    - Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
    - Message not available
    - Re: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
    - Re: The end of Phishing in sight? Nick FitzGerald (Oct 17)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
  - Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
    - Re: Re[2]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
    - Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 18)
    - RE: Re[4]: The end of Phishing in sight? Aditya Deshmukh (Oct 18)
- Re: The end of Phishing in sight? Jim Murray (Oct 17)
  - Re: The end of Phishing in sight? Nick FitzGerald (Oct 17)
    - Re: The end of Phishing in sight? Dave Dennis (Oct 18)
    - Re: The end of Phishing in sight? Craig Webster (Oct 18)
    - RE: The end of Phishing in sight? Aditya Deshmukh (Oct 18)
    - Re: The end of Phishing in sight? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Oct 18)
    - Re: The end of Phishing in sight? Blue Boar (Oct 18)

(Thread continues...)