WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Tue, 30 Nov 2004 22:10:57 -0600
I would think that this would redirect the "phishing" to try to get people to give up access to their email accounts instead. In addition, it's ridiculously easy to sniff email. 2 cents, Jimi On Tue, 30 Nov 2004 14:57:20 +1100, Michael Silk <michaelsilk () gmail com> wrote:
(sorry to double-post ...) Dave, You suggest that the solution is to verify email addresses. How often do you actually _look_ at the adress, however ? How often would a user ? Most, if not all, mail clients will just display the name of the person we are communicating ... i.e. this will come from "Michael Silk" but is actually a different account then the one I used to post the original webappsec message. How many people noticed? Probably no-one. The point is that you don't need to spoof the _address_ (domain) to trick users, you only need to spoof the _display name_ that appears. -- Michael -----Original Message----- From: Dave Jevans [mailto:djevans () teros com] Sent: Tuesday, 30 November 2004 6:35 AM To: Mark Burnett; webappsec () securityfocus com Subject: RE: Article - A solution to phishing Email authentication to prevent spoofing of email addresses will solve 85% of phishing attacks in their current form. At the Anti-Phishing Working Group we recommend a two-step adoption of SenderID/SPF and then email signing (most likely with Yahoo's Domain Keys or an IIM derivative). See more about this at http://truste.org/about/authentication.php Mark, you point out that authenticating a website to a consumer is necessary. www.passmarksecurity.com has an interesting image-based approach that requires no software or hardware on the end user machine. There are also a lot of things that can be done on the application security side to detect and reduce phishing. These include: - preventing cross-site scripting - detecting load spikes - preventing image referrals - detecting NDN bounce floods - detecting account takeovers - detecting phishing site testing prior to attack launch - application forensics Dave Night job: Chairman, Anti-Phishing Working Group. www.antiphishing.org Day job: Sr. VP, Teros. www.teros.com
-- Thanks, Jimi
Current thread:
- RE: Article - A solution to phishing, (continued)
- RE: Article - A solution to phishing Michael Silk (Nov 29)
- RE: Article - A solution to phishing Dave Jevans (Nov 29)
- RE: Article - A solution to phishing Dave Jevans (Nov 30)
- RE: Article - A solution to phishing WebAppSecurity [Technicalinfo.net] (Nov 30)
- RE: Article - A solution to phishing Michael Silk (Nov 30)
- Re: Article - A solution to phishing Jeremiah Grossman (Dec 01)
- Re: Article - A solution to phishing Adam Shostack (Dec 02)
- Re: Article - A solution to phishing [Passmark] Jeremiah Grossman (Dec 02)
- Re: Article - A solution to phishing Robert Hajime Lanning (Dec 02)
- Re: Article - A solution to phishing Jeremiah Grossman (Dec 01)
- RE: Article - A solution to phishing Michael Silk (Nov 30)
- Re: Article - A solution to phishing Jimi Thompson (Dec 01)
- RE: Article - A solution to phishing Damhuis Anton (Nov 30)
- Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
- Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
- Re: Article - A solution to phishing Michael Silk (Dec 28)
- Web Application Security Testing Procedures Lecia McCalla (Dec 30)
- Re: Web Application Security Testing Procedures HernĂ¡n M . Racciatti (Dec 30)
- Re: Web Application Security Testing Procedures Adam Tuliper (Dec 30)
- Re: Web Application Security Testing Procedures Saqib Ali (Dec 31)
- Web Application Security Testing Procedures Lecia McCalla (Dec 30)