WebApp Sec mailing list archives
RE: (not really a) Proposal to anti-phishing
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Mon, 24 Jan 2005 18:35:08 -0500
But IMHO, I think that HTML e-mail should be outlawed, period. That alone might go a long way to eliminating a lot of phishing schemes, especially the ones that rely on bugs in the MUA's HTML rendering engine to entice the victims.
I would vote for certain large software corporations to do a better job in QA before they release their email clients (and maybe filter out some bad design ideas too). But the point is that HTML e-mail isn't any more dangerous in and of itself than __important__ or **important**, except for poorly designed software. Fixing the software is Easy, taking away something that people like is Hard. Besides, if HTML was removed from the equation, you'd still have crafy text email: Dear Consumer, We here are Bank of America.. blah blah blah. We set up a special server for you to validate your account: http://www.malware.com/BankOfAmerica People are easy to fool. -- Michael Scovetta Computer Associates Senior Application Developer -----Original Message----- From: Rishi Pande [mailto:rishi.pande () gmail com] Sent: Monday, January 24, 2005 3:08 PM To: Wall, Kevin Cc: Mike Andrews; webappsec () securityfocus com Subject: Re: (not really a) Proposal to anti-phishing I like the quiz but there is no data on participants. My whole point in finding who is more susceptible to phishing was to see if perhaps the online banking problem would solve itself after some years - as more and more young, internet-savvy users start using these services. As much as I like Kevin's idea, it is difficult to recall something that users and corporations like just because of "security". As long as the profits from sending better looking emails are higher than the losses, corporations will be willing to take it. Just my $0.02. Rishi On Jan 24, 2005, at 2:28 PM, Wall, Kevin wrote:
Mike Andrews writes...I remember doing a quiz on phishing some time ago. After muchdigging,here's a link to the quiz (version 2) http://survey.mailfrontier.com/survey/quiztest.html Sorry, it doesn't give any results of the survey - perhaps someonecouldemail the company and ask about the results, especially which onespeopledidn't get.Of course, the "quiz" is pretty much useless. There are some obvious phishing attempts, but the few that look (are?) legitimate, one can't really tell because all they give you is an image, so you can't really see what the links are pointing to or do a 'view source', etc. Of course, the point should be one should ALWAYS go to the the web site directly to type in the appropriate URL (if they know what it is; otherwise look up their site on a search engine and then type it in). But IMHO, I think that HTML e-mail should be outlawed, period. That alone might go a long way to eliminating a lot of phishing schemes, especially the ones that rely on bugs in the MUA's HTML rendering engine to
entice
the victims. -kevin wall
Current thread:
- RE: (not really a) Proposal to anti-phishing Evans, Arian (Jan 19)
- <Possible follow-ups>
- RE: (not really a) Proposal to anti-phishing Scott, Richard (Jan 23)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Wall, Kevin (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Scovetta, Michael V (Jan 24)