RE: Article - A solution to phishing

[Michael Silk <michaelsilk () gmail com>]

(sorry to double-post ...)

Dave,

 You suggest that the solution is to verify email addresses.

 How often do you actually _look_ at the adress, however ? How often
would a user ?

 Most, if not all, mail clients will just display the name of the
person we are communicating ... i.e. this will come from "Michael
Silk" but is actually a different account then the one I used to post
the original webappsec message. How many people noticed? Probably
no-one.

 The point is that you don't need to spoof the _address_ (domain) to
trick users, you only need to spoof the _display name_ that appears.

-- Michael

-----Original Message-----
From: Dave Jevans [mailto:djevans () teros com] 
Sent: Tuesday, 30 November 2004 6:35 AM
To: Mark Burnett; webappsec () securityfocus com
Subject: RE: Article - A solution to phishing


Email authentication to prevent spoofing of email addresses will solve
85% of phishing attacks in their current form.  At the Anti-Phishing
Working Group we recommend a two-step adoption of SenderID/SPF and
then email signing (most likely with Yahoo's Domain Keys or an IIM
derivative).  See more about this at
http://truste.org/about/authentication.php

Mark, you point out that authenticating a website to a consumer is
necessary.  www.passmarksecurity.com has an interesting image-based
approach that requires no software or hardware on the end user
machine.

There are also a lot of things that can be done on the application
security side to detect and reduce phishing.  These include:
 - preventing cross-site scripting
 - detecting load spikes
 - preventing image referrals
 - detecting NDN bounce floods
 - detecting account takeovers
 - detecting phishing site testing prior to attack launch
 - application forensics

Dave

Night job: Chairman, Anti-Phishing Working Group.  www.antiphishing.org
Day job:   Sr. VP, Teros.  www.teros.com