Re: Nordea Sweden shuts Internet banking due to targeted phishing

[jm () jmason org (Justin Mason)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Blue Boar writes:
> Drsolly wrote:
> > Banks could fix the phishing problem if they had the incentive. It isn't 
> > bad enough yet to make them want to fix it.
>
> I wonder whether it can be solved.  The fundamental problem is that 
> people can be tricked into going to a web site that looks like something 
> they use, and putting in their creds.  That's set of people A.  You can 
> change the legitimate site such that there is something noticably 
> different about the legitimate site that some people can notice and pay 
> attention to.  Call this set of people B.  How much intersection is 
> there between sets A and B?

Depends, in my opinion, on the degree of change made to the legit site,
and its practices.  If they carry on treating the web and email as another
marketing channel, with HTML-heavy newsletters sent via SMTP through
outsourced mass-mailing companies, it's a lost cause.

See: 

- - John Levine's "Phish or Phair" tests -- good luck telling the "real
  deal" from the phishes: http://weblog.taugh.com/phish1.html ,
  http://weblog.taugh.com/phish2.html .

- - Adam Shostack's _Preserving the Internet Channel Against Phishers_,
  http://www.homeport.org/~adam/phishing.html , in which he gives
  4 simple steps that *will* fix the problem.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDQyRpMJF5cimLx9ARAnNuAJwOL2CWzIuoXBUNiZwgvydPDpDVvQCgsFKX
3CTJDEGWHEca1kD8IhenlJk=
=5bCj
-----END PGP SIGNATURE-----

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.