WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Moksha Faced <mokshafaced () yahoo com>
Date: Mon, 17 Jan 2005 23:24:00 -0500
Lyal,You make several good points but I agree with many of the others posting on this thread, I don't believe it will ever happen unless the market demands it. As a former bank technocrat I can tell you that we had studied several of these ideas such as hardware tokens, watermarking, etc. but all of these ideas were dropped for various reasons (almost none of which were technical) but primarily due to a lack of doing anything that impeded the 'customer', including trying to secure them and their unmanaged client platforms (these were the prevailing management 'wisdom' winds at the time).
Worse of all, for anyone that's ever worked inside a large bank and can attest, the people that make these decisions are usually the least technically competent or qualified to make such a decision. I may be wrong but you are probably not going to 'get ahead' in a large bank by being technically bright, you only get ahead by 'riding the horse in the direction it's going' and that is usually the path of least resistance (i.e., the least secure path). The only way this momentum will change is if the market demands it and it drives the bankers to react to customers that INSIST the bank protect their accounts and privacy. You have to remember the bankers only want to do things that make themselves look good inside their oligarchies and until the data/metrics they are measured with includes a security driver it's just not going to happen.
So how do we educate the consumers and help them drive some market demand for some secure methods?
Warm regards, mf Lyal Collins wrote:
-----Original Message-----From: Rogan Dawes [mailto:discard () dawes za net] Sent: Saturday, 15 January 2005 3:05 AMTo: Rafael San Miguel Cc: webappsec () securityfocus com; Enrique.Diez () dvc es Subject: Re: Proposal to anti-phishing [snip] Please take a look at the thread that starts http://seclists.org/lists/webappsec/2004/Oct-Dec/0291.html and especially <http://seclists.org/lists/webappsec/2004/Oct-Dec/0347.html>where I explain why I believe SSL client certificates are really the only practical solution to preventing phishing.[snip] Well, there may be one other good option to stop phishing. If emails could be positively identified as coming from a customer's bank, then they could ignore those that don't authenticate as spam/phishing/fraud. Then if your bank doesn't provide this capability, you may decide to change to a bank that does provide authenticated, secured email comunications with its customers. Ltal
Current thread:
- RE: Proposal to anti-phishing, (continued)
- RE: Proposal to anti-phishing RSnake (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- RE: Proposal to anti-phishing Frank Knobbe (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Sam Koh (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing RSnake (Jan 15)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)