Shostack + Friends Blog Archive

 

Phishing

There’s a 3 page article in the Washington Post on phishing, the use of fake email and web sites to capture usernames and passwords. The phishers often target financial institutions.

Marcus Sachs, a former White House cyber-security adviser and current director of the SANS Internet Storm Center, said marketing departments at many banks do not heed their companies’ own advice. Too often, he said, banks send e-mails to customers offering balance transfers and other deals by asking them to click on a Web site link and enter their information.

“If the corporate policy is never to send e-mails that contain links to Web sites asking for your personal information then these businesses need to work harder to normalize their behavior so that consumers will know what’s abnormal,” Sachs said. “The fact is some banks still send out e-mails that look remarkably like phishing scams.”

This is very true, and I’d like to award a Golden Homer (“D’oh!”) to AT&T Wireless, who send out statements as large emails, with Javascript (and lord only knows what else), asking you to enter your social security number. There will be a custom virus that screws all AT&T Wireless customers because of this stupidity.

Sachs said online merchants, banks and credit card companies need to invest in technologies used by most European banks that require customers to use one-time “identity tokens” or smart cards — in addition to user names and passwords — to get their financial information over the Web.

This will be something of an improvement, it means that the phisher can’t come back later and execute an attack, but nothing in the current SSL system, or the SSL system plus tokens, certificates, or biometrics, prevents a “man in the middle” attack where the phishers take the one time token data, feed it to the web site, and steal money live.

This will be somewhat easier to detect, because the money is moving, but the phishing attacks will likely slow down, so that they’re not harvesting, storing and then using credentials, but “hunting and gathering” as they go.

Ian Grigg has done yeoman’s work on SSL and phishing.

Training companies to send a consistent message, and fining them when they deviate, would be a fine start, as Marcus Sachs said. But the real solutions require authenticating the server in a meaningful way.