Re: The end of Phishing in sight?

[Nick FitzGerald <nick () virus-l demon co uk>]

Jim Murray wrote:

> In this age of bot-riddled machines, will this really raise the bar that
>  much?

Of course not.

> I fear we'll see a temporary lull while the phishers adapt followed by a
> massive wave of 'impossible' fraud when they figure out how to beat the
> system.

Yep -- temporary probably equals a few weeks.

The real art of making such a prediction though is guesstimating at 
what level of adoption, within each institution, the phishers will 
"feel the bite" and "be forced" to bite back.

> Anyone care to bet how long it'll be till we see the first
> 'resynchronise your token' trojan being sent out?

Very shortly after the phishers feel the bite...

This is the guts of why SPF _and all other weak "sender authentication" 
schemes_ suck so badly as anti-spam measures -- initial adoption seems 
to be greatly beneficial because so little current spam is SPF-
compliant, but absolutely trivial changes to the masses of spam-bots 
out there can render them all fully SPF/etc-compliant, making SPF/etc 
_totally useless_ as anti-spam measures "overnight" (the update cycle 
of the spambots).

Of course, few banking customers will trust the tokens once they are 
perceived to be broken so the phishers will probably rack up the level 
of fraud per incident once they start targetting such systems because 
the value of each catch will be much greater.

Then, all the gullible, "too stupid to own a computer" types will go 
back to visiting the branches in person and the world will be a better 
place...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.