|
WebApp Sec
mailing list archives
Re: Article - A solution to phishing
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Tue, 30 Nov 2004 22:10:57 -0600
I would think that this would redirect the "phishing" to try to get
people to give up access to their email accounts instead. In
addition, it's ridiculously easy to sniff email.
2 cents,
Jimi
On Tue, 30 Nov 2004 14:57:20 +1100, Michael Silk <michaelsilk () gmail com> wrote:
(sorry to double-post ...)
Dave,
You suggest that the solution is to verify email addresses.
How often do you actually _look_ at the adress, however ? How often
would a user ?
Most, if not all, mail clients will just display the name of the
person we are communicating ... i.e. this will come from "Michael
Silk" but is actually a different account then the one I used to post
the original webappsec message. How many people noticed? Probably
no-one.
The point is that you don't need to spoof the _address_ (domain) to
trick users, you only need to spoof the _display name_ that appears.
-- Michael
-----Original Message-----
From: Dave Jevans [mailto:djevans () teros com]
Sent: Tuesday, 30 November 2004 6:35 AM
To: Mark Burnett; webappsec () securityfocus com
Subject: RE: Article - A solution to phishing
Email authentication to prevent spoofing of email addresses will solve
85% of phishing attacks in their current form. At the Anti-Phishing
Working Group we recommend a two-step adoption of SenderID/SPF and
then email signing (most likely with Yahoo's Domain Keys or an IIM
derivative). See more about this at
http://truste.org/about/authentication.php
Mark, you point out that authenticating a website to a consumer is
necessary. www.passmarksecurity.com has an interesting image-based
approach that requires no software or hardware on the end user
machine.
There are also a lot of things that can be done on the application
security side to detect and reduce phishing. These include:
- preventing cross-site scripting
- detecting load spikes
- preventing image referrals
- detecting NDN bounce floods
- detecting account takeovers
- detecting phishing site testing prior to attack launch
- application forensics
Dave
Night job: Chairman, Anti-Phishing Working Group. www.antiphishing.org
Day job: Sr. VP, Teros. www.teros.com
--
Thanks,
Jimi
 By Date 
By Thread
Current thread:
- Re: Article - A solution to phishing, (continued)
RE: Article - A solution to phishing Michael Silk (Nov 30)
- Re: Article - A solution to phishing Jimi Thompson (Dec 01)
RE: Article - A solution to phishing Damhuis Anton (Nov 30)
Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
Re: Article - A solution to phishing Michael Silk (Dec 28)
|
Intro
