RE: (secure email) Proposal to anti-phishing

["Lyal Collins" <lyal.collins () key2it com au>]

Here's where this thread get interesting.

As a customer I don't want or need secure email with every bank in the
world, just the ones I've decided to trust with my money/future.
As a bank, I don't want to enable my customers with secure access to
competing banks (i.e. the global secure email model) - let my competitors
spend on acquiring the customer relationship instead of cannibalising the
benefits of my expenditure.

If, by enabling bank customers to reduce their phishing/fraud exposure, the
bank reduces it's losses, the phishing will move elsewhere to other baks,
who can choose to deal with the problem however they like.

In a few years/decades, there will re-emerge commercial pressures to allow a
level of globalness to secure email.
This doesn't mandate a single specification (unlike PGP or S/MIME).  It does
however, cater to groups of companies to agree to trust each other's
authenticaiton of their mutual customers (and internal staff) and thus
exchange secure emails to their mutual benefits.  A federated model, in
Liberty Alliance terms, applied to email.  
There are already analogies in email.  E.g. create an email in Outlook that
is sent to an Exchaneg Server, where its converted to SMTP, passes to
another mail server where it's converted to, say, Notes, then on-forwarded
to a recipient user.

Setting up this 'trusted' network is easy.  Banks, indeed, companies can do
this for their customers, without waiting for anyone else to do so.  On-Line
banking grew this way, without waiting for a global trusted network (which
the internet still isn't).  Growing trusted services from the ground up is a
lot easier that being hit by fraud and poor custoemr retention until the
whole world is ready to spend on an entire new 'trusted' infrastructure.  
'Big Bangs' no longer happen - internet is about emerging growth being found
acceptable  to the marketplace (reward = continued growth + experience  +
profit) or not (reward = experience)

Just some views

Lyal


> -----Original Message-----
> From: Michael Silk [mailto:michaelsilk () gmail com] 
> Sent: Monday, 24 January 2005 8:56 PM
> To: Lyal Collins
> Cc: webappsec () securityfocus com
> Subject: Re: (secure email) Proposal to anti-phishing
>
>
> You are talking about a secure email _network_, where only "trusted"
> people can send emails to members. (i.e: a private mailing list).
>
> You are suggesting a trusted system like this, right? And your
> argument is that non-trusteds (phishers) can't get in and send emails
> - fine, it may be true (depending on membership verification process).
>
> How does this list communicate with the outside world? Customers?
> Banks? ...? Do they have to become "trusted" too ? On what basis ?
> Email address? Certificate? Who manages all this trust? Whats the
> change-over timeframe to get the world onto this system as opposed to
> the current one ?
>
> I'm still a little confused as to what you are suggesting the solution
> (the pratical solution) is here... because setting up such a trusted
> network just isn't possible (and has been tried before, hasn't it ?)
>
> If your idea is just about having a way to trust specific peoples'
> messages (certificates) then fine, it's a system that would work on a
> positive basis (customer: "Yes, this is from my bank, because the
> little padlock is there..!") but not on a negative basis (customer:
> "Hmm, it says its from my bank, but there is no pad lock... I will
> click it anyway ... those banks, always stuffing things up.").
>
> Implemented with my idea[1] from a long time ago, however, it 
> could be neat :)
>
> But I still don't see your problem with Client-side certificates.
>
> -- Michael
> [1] 
> http://michaelsilk.blogspot.com/2004/11/article-solution-to-ph
> ishing.html
>
>
> On Mon, 24 Jan 2005 18:54:46 +1100, Lyal Collins
> <lyal.collins () key2it com au> wrote:
> > The attraction of secure emails are that 'phishers' have to 
> compromise every
> > recipient's mailbox/secure email solution in the world, 
> THEN launch a
> > phishing attack against customers of select bank in order 
> to get the rate of
> > return they do today.
> > This seems a much harder, and less profitable sequence a 
> phisher must go
> > through, which has a higher probability of detection and 
> convictability,
> > increasing deterrence and decreasing the phishers payback.
> >
> > Lyal
> >
> >
> > > -----Original Message-----
> > > From: Michael Silk [mailto:michaelsilk () gmail com]
> > > Sent: Monday, 24 January 2005 6:42 PM
> > > To: Lyal Collins
> > > Cc: webappsec () securityfocus com
> > > Subject: Re: (secure email) Proposal to anti-phishing
> > >
> > >
> > > Thats not really "Phishing" though, is it?
> > > (http://en.wikipedia.org/wiki/Phishing) It is on one hand 
> in that they
> > > are lured to the site, but they don't provide any 
> information, it is
> > > stolen from them by the malware.
> > >
> > > Sure, it's a problem that must be dealt with but to say 
> that client
> > > side certificates are useless due to that is silly because that
> > > (compromised system) is a problem _no matter what_ solution is
> > > implemented ("secure" emails).
> > >
> > > -- Michael
> > >
> > >
> > > Lyal said:
> > > > > -----Original Message-----
> > > > > From: Michael Silk [mailto:michaelsilk () gmail com]
> > > > > Sent: Monday, 24 January 2005 3:24 PM
> > > > > To: lyal.collins () key2it com au; webappsec () securityfocus com
> > > > > Subject: RE: (secure email) Proposal to anti-phishing
> > > > >
> > > > >
> > > > > Lyal said:
> > > > > > > The difference is that client-side SSL exists today in an
> > > > > industry
> > > > > > > standard platform independent manner that could 
> be effectively
> > > > > > > deployed. (management is a different issue that I 
> will be a
> > > > > > coward and
> > > > > > > ignore for now.)
> > > > > >
> > > > > > It's hard to see how changing the locaiton of a password
> > > > > > verification actually makes any difference to accountholder
> > > > > > security or phishing.
> > > > >
> > > > > Is it? Surely it's easy to see. Phishing requries the
> > > user to enter
> > > > > the password in a website. If they don't need to do 
> this (or only
> > > > > enter partial password) because of certificate, then 
> I think it's
> > > > > pretty easy to see how that is an advantage.
> > > >
> > > > Seen the newer generaitons of phishing, where going to the
> > > faked bank site
> > > > loads up the user's PC with spyware, keyloggers et al?
> > > >
> > > > Certificates are compromised as soon as any malware enters
> > > the machine -
> > > > which is useless in this phishing scenario.
> > > >
> > > >
> > > > > > > And then there's the pragmatic fact that people will pay
> > > > > Microsoft
> > > > > > > protection-racket funds for Microsoft 
> anti-spyware to protect
> > > > > > > themselves transparently in the background from the
> > > > > crappy software
> > > > > > > Microsoft *SOLD* them in the first place...and 
> they will do
> > > > > > this long
> > > > > > > before they'll use any of the "secure email"
> > > > > > > solutions today that require user interaction & thought.
> > > > > > >
> > > > > > > But I'm all for an global standard secure email 
> solution if
> > > > > > you happen
> > > > > > > to have one of those handy,
> > > > > >
> > > > > > Actually, my company does - if anyone wants to buy it.
> > > > >
> > > > > Global, is it? Who buys it then? How does it work? Care
> > > to share more
> > > > > details, because there is not much information on your
> > > site. Doesn't
> > > > > seem any different to what PGP would provide.
> > > > >
> > > > > It's also rather interesting that you claim it "encrypts"
> > > everything,
> > > > > but also analyses it for spam, viruses ... now just 
> how does it do
> > > > > that :) ?
> > > > >
> > > > > And what is "content checked". Seems far to "big brother" for
> > > > > my liking.