Shostack + Friends Blog Archive

 

Don't Use Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.]

In his talk at Defcon, David Cowan talked about how he doesn’t bank online anymore. Banks are now facing the imminent destruction of their highest bandwidth, lowest cost way to interact with customers. Actually, its worse than that. Bankers are killing online banking, by refusing to deal with the phishing problem.

Dealing with the phishing problem is so simple that I can’t see how to found a company to do it. Here it is, in 4 steps:

  1. No HTML email. HTML email opens all sorts of possibilities for hiding things. Train your users to expect short and simple messages.
  2. No links in email. Always refer to the bookmark you encourage users to create from their paper statements.
  3. All your websites must belong to you, and show up under your domain. Do not train users to treat other URLs as yours. If you train users that you send them to sites with names like “cb.pharmphr33.supersecure.com,” then you shouldn’t be surprised that they don’t get worried when they are phished there.
  4. Fire people who violate these rules. Give a substantial finders fee to the first person who reports the violation. Give the money to both employees/whistleblowers and customers.

Failure to follow these rules leads to a continuation of the arms race. The casualties are your brand, your customers, and your online banking service delivery. I’m told that Schwab is already following rules 1 and 2.

Oh, incidentally, adding my name, social security number, pet’s name, or our special shared icon to the email does more harm than good. Please don’t.

(mmmm, airport wireless. Don’t get me started on how soon United Airlines should go bankrupt, which is Monday, right after I get home.)

14 comments on "Don't Use Email Like a Stupid Person"

  • sama says:

    How does the use of pet’s names and the like hurt? Isn’t part of the problem here that the bank asks you to authenticate yourself to it, but you have no means of authenticating the bank, of knowing that it really is the bank you’re speaking to. How should customers authenticate who they are speaking with?

  • Sama –
    You’re right that a good anti-phishing mechanism should allow customers to authenticate the bank. BUT: 1) Unencrypted email should not convey authenticators that are secret or valuable. 2) Customer-driven authentication requires active user verification, something that we may not want to count on. Security measures that use a “alert when bad” user interface are much more effective than a “make sure that a good thing is present” paradigm.
    There has been some interesting work on using picture recognition as an authenticator: the bank gives you some unique picture to look for in an email/sign-on/etc. Stanford’s TIPPI workshop in June had some good ideas: http://crypto.stanford.edu/TIPPI/program.html

  • Sama: pet’s names, hometowns, mothers’ maiden names and other security questions can be easily discovered by attackers.
    Remember Paris Hilton’s Sidekick and how all the photos she took with it were ‘liberated’ from T-Mobile’s site? Her account security question was the name of her pet.
    That little dog of Paris’ is almost as famous as she, so the attacker just had to have a little pop culture knowledge.
    Adam: moving to text email will be a challenge. Companies want to reinforce brand in their communications with customers. HTML lets the banks do it. And even if every firm switched to text-only email, we still have to educate non-technical users about how to read URLs.

  • Chris Walsh says:

    Isn’t UAL already bankrupt?

  • Seth Gordon says:

    Bankruptcy is too kind a fate for UAL. Their board of directors should be lined up before a firing squad on the tarmac of Denver International Airport.

  • hervey smoots says:

    Unfortunately, the “don’t put your banking software anywhere but on your server” thing might not work–I work for a company that makes this kind of software, and we (and many of our competitors) host the banking sites ourselves. We couldn’t do that if we had to have the software in their domain withough having to do production moves on their web servers–not something that’s terribly acceptable to the banks for security reasons, understandably enough.

  • Hi Adam.
    On the subject of phishing, I am currently examining adding this as a new service in upcoming versions of our security suite software.
    You may know that:
    – IE 7 includes anti-phishing
    – MS has chosen a partner I’ve reviewed, Whole Security in Austin(http://www.wholesecurity.com/news/index.html)
    Of course, our solution will be browser independent due to my http proxy.
    By the way, I do have an RSS feed 😉
    http://bubbler.net/feeds/560399/notes.xml
    talk soon

  • >We couldn’t do that if we had to have the software in their domain withough having
    >to do production moves on their web servers
    On the internet, a “domain” doesn’t mean a server or hosting facility. “Domain” means “domain name”, as in the thing in the browser location bar, which is mapped to one or more IP addresses. The address is what’s tied to a server and/or physical hosting facility.
    Get the bank to set up a subdomain for you, like hostedappco.bigbank.com. That can be served by a separate name server you control, and has nothing at all to do with making you deploy your apps on their web servers. Then you can set http://www.hostedappco.bigbank.com to point at whatever server you like.
    Alternatively they could just point http://www.hostedapp.bigbank.com at your server’s IP address, which takes flexibility away from you (you can’t change your IP without co-ordinating the name change with them) but gives them a sense of security.

  • Clifton Royston says:

    Sorry, whoever told you Schwab is doing that is just plain wrong. I just reviewed my June email bulletin from them.
    1) It is in HTML. 2) It contains numerous direct links to the Schwab website. It teeters on the edge of violating 3) in that all the links are of the form http://q1.schwab.com/s/r?l=%5Bsuppressed%5D&m=%5Bsuppressed%5D. I suspect the q1 is delegated to Quris which is the mailer they outsource to. If you expect the average user to recognize that, for instance, q1.schwab.com (or http://www.hostedapp.bigbank.com) is legitimate but that http://www.schwab.com.secure-users.com is not, I think you are expecting vastly too much sophistication from them. I am already seeing some phishes using the latter style of URL.
    A broader problem is that this solution will work only to the extent that most users understand the difference between ASCII mail and HTML mail and can clearly distinguish between them – this will probably only be achieved if tens or hundreds of millions of users stop using Outlook Express. Then there’s the difficulty of simply convincing management at thousands of banks to listen to security authorities and ignore their marketing departments (who want to use HTML). Your proposal would greatly help – but it requires big changes in institutional and individual behavior. That’s not easy.

  • Extra says:

    The simplest security is to never respond to a URL in eMail.
    If my bank sends me a url to go to I ignore it and go to the secure URL I know. The same with email from my ISP, I go to their site and send a copy of the eMail. I assume that anyone asking me for confidential information is phishing.

  • Eleanor says:

    My bank doesn’t know my email address. They asked for it, but I refused to give it to them because they didn’t need it – they would have sent me my passcode etc. by snail mail anyway. That way, I know that every email I get from them is spam.

  • Iang says:

    You are right about the arms race, but the suggestions are only the beginning. The phishing thing is now institutionalised, and it is beyond the ability of bank sites to solve it. That’s been the case for about 1-2 years now.
    Which isn’t to say that those things on the list shouldn’t be done, but it’s fighting last year’s war.

  • jhlipton says:

    If my bank sends me a url to go to I ignore it and go to the secure URL I know. The same with email from my ISP, I go to their site and send a copy of the eMail. I assume that anyone asking me for confidential information is phishing.
    Duh, yeah. That goes for all my accounts. If I get a mail from XYZ, I’ll navigate to XYZ’s home site, login, and track the message from there.
    I like getting reminders and receipts in my mail. Doesn’t mean I have to clicky-click on any of them!

  • “Preserving the Internet Channel Against Phishers”

    I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel…

Comments are closed.