Shostack + Friends Blog Archive

What Is Phishing

In conversation with a friend, I realized that my essay, “Preserving the Internet Channel Against Phishers” didn’t actually explain the problem. I made the assumption that everyone had the same perception of what it was. (Why didn’t anyone point that out?) So I’ve added the following (after the break), and I think the resultant essay is much improved.

First, lets look at what phishing is. There are many
technical answers, but the core of phishing is that people are drawn
to a website, mistakenly thinking it belongs to a company that they
trust. There are a couple of core elements here: The first is the
phishing email. These can be bulk or targeted. Criminals use exactly
the same mail merge technology companies use, and will insert any
details they can: Name, address, account number (or last 4 thereof),
SSN (or last 4), your logo or copyright statements, etc. All of this
is designed to convince the user that it’s ok to click on the link to
visit the bank. That’s crucial, because without that feeling that
it’s ok to click, the victim will not end up at the fraudster’s site.

So there is where we must concentrate our defense. We need to prevent
the victim from feeling that its ok to click on the link. But how?
SSL–the little padlock–doesn’t help. Anyone can buy a cert for
cb.pharmphr33.supersecure.com if they operate that domain. It’s easy.
Almost anything you can do in an email, the fraudster can duplicate.

And so there lies the key. Use the several established channels you
have in concert. Use the customer as an ally. Move them
away from clicking links to selecting bookmarks.

Originally published by adam on 27 Sep 2005
Last modified on 27 Sep 2005
Categories:   information security   Uncategorized   Usability