nanog mailing list archives
Re: Phishing (Was Re: WashingtonPost computer security stories)
From: Sean Donelan <sean () donelan com>
Date: Tue, 17 Aug 2004 02:37:05 -0400 (EDT)
I'm thinking that Citibank will cease to be a target if they give (ok, it's a bank - sell) their subscribers a hardware token that requires presence of the ATM card when the customer wants to use online banking facilities... as several banks here in the Netherlands do.
This is a social engineering attack. As long as you can convince the user to cooperate, you can subvert technological counter-measures. When you add the ability to subvert the communication device (computer, telephone, etc) it gets even more interesting. The scam may even occur in multiple parts using different forms of communication (email, web, fax, phone, mail) for different parts of the scam. Yes, it is possible to subvert smartcards, one-time hardware tokens (securid), biometrics, etc. They are not just academic attacks, they have been successfully attacked in the wild. Brute force isn't needed when you can subvert other parts of the system, which includes the human. Scams also use other mediums. Here is an example: http://www.fincen.gov/stoporder.pdf
Current thread:
- Re: WashingtonPost computer security stories, (continued)
- Re: WashingtonPost computer security stories John Underhill (Aug 15)
- Re: WashingtonPost computer security stories Sean Donelan (Aug 15)
- Re: WashingtonPost computer security stories Jerry Pasker (Aug 15)
- Re: WashingtonPost computer security stories Stephen J. Wilcox (Aug 17)
- Re: WashingtonPost computer security stories Doug White (Aug 15)
- Phishing (Was Re: WashingtonPost computer security stories) Niels Bakker (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Henry Linneweh (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Christopher L. Morrow (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Mark Kasten (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Alexei Roudnev (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Sean Donelan (Aug 16)
- Re: Phishing (Was Re: WashingtonPost computer security stories) David Lesher (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Michael . Dillon (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Joel Jaeggli (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Richard Cox (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Petri Helenius (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Alexei Roudnev (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Eric Kuhnke (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Tim Wilde (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Edward B. Dreger (Aug 17)
- Re: Phishing (Was Re: WashingtonPost computer security stories) Petri Helenius (Aug 17)