Re: The end of Phishing in sight?

[Valdis.Kletnieks () vt edu]

On Mon, 17 Oct 2005 16:22:24 EDT, Chris Buechler said:

> The official FIL is here: 
> http://www.fdic.gov/news/news/financial/2005/fil10305.html

Thanks muchly.  Somebody needs to be slapped silly, but it isn't the FDIC.

The FIL is *very* careful to say nothing more than "it's dangerous out there,
you probably need to verify your users better".  In fact, the only mention of
phishing in the whole 14-page PDF is in this paragraph:

"The agencies consider single-factor authentication, as the only control
mechanism, to be inadequate for high-risk transactions involving access to
customer information or the movement of funds to other parties. Single-factor
authentication tools, including passwords and PINs, have been widely used for a
variety of Internet banking and electronic commerce activities, including
account inquiry, bill payment, and account aggregation. However, financial
institutions should assess the adequacy of such authentication techniques in
light of new or changing risks such as phishing, pharming, 7 malware, 8 and the
evolving sophistication of compromise techniques. Where risk assessments
indicate that the use of single-factor authentication is inadequate, financial
institutions should implement multifactor authentication, layered security, or
other controls reasonably calculated to mitigate those risks."

OK.. Got that? FDIC didn't think it was stopping phishing - all it thought it
was doing was requiring better authentication on websites.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.