WebApp Sec mailing list archives
RE: (secure email) Proposal to anti-phishing
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Wed, 19 Jan 2005 19:27:51 +1100
[snip]
[snip] Well, there may be one other good option to stop phishing. If emails could be positively identified as coming from a customer's bank, then they could ignore those that don't authenticate as spam/phishing/fraud.The difference is that client-side SSL exists today in an industry standard platform independent manner that could be effectively deployed. (management is a different issue that I will be a coward and ignore for now.)
It's hard to see how changing the locaiton of a password verification actually makes any difference to accountholder security or phishing.
"secure email"....what is that? It doesn't exist is the problem, unless you want to talk a specific software package or a one of the "secure email portal" solutions (hosted or device). Those aren't any more reasonable than a token.
Corporate-acceptable secure email is easier to deploy as a ) the accountholder already has an email address (ISPs proviide mail boxes ina ddition to browsing access) and a password for that email service; and b) the accountholder has a authenticate-able business relationship with the bank/corporation. Note - this excludes PGP and S/MIME, for the obvious reasons.
Kiosk. Airport or hotel shared system, etc. Are going to carry around your thumb drive and install PGP and your keyring on every system you use if they let you?
Is anyone expected to trust an email recevied on untrusted shard access devices? Note: PGP != secure email to most businesses, nor is S/MIME.
And then there's the pragmatic fact that people will pay Microsoft protection-racket funds for Microsoft anti-spyware to protect themselves transparently in the background from the crappy software Microsoft *SOLD* them in the first place...and they will do this long before they'll use any of the "secure email" solutions today that require user interaction & thought. But I'm all for an global standard secure email solution if you happen to have one of those handy,
Actually, my company does - if anyone wants to buy it. Lyal
Arian The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: (secure email) Proposal to anti-phishing Evans, Arian (Jan 19)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 23)
- <Possible follow-ups>
- RE: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 24)
- RE: (secure email) Proposal to anti-phishing Lyal Collins (Jan 27)
- Re: (secure email) Proposal to anti-phishing Michael Silk (Jan 27)