(sorry to double-post ...)
Dave,
You suggest that the solution is to verify email addresses.
How often do you actually _look_ at the adress, however ? How often
would a user ?
Most, if not all, mail clients will just display the name of the
person we are communicating ... i.e. this will come from "Michael
Silk" but is actually a different account then the one I used to post
the original webappsec message. How many people noticed? Probably
no-one.
The point is that you don't need to spoof the _address_ (domain) to
trick users, you only need to spoof the _display name_ that appears.
-- Michael
-----Original Message-----
From: Dave Jevans [mailto:djevans@teros.com]
Sent: Tuesday, 30 November 2004 6:35 AM
To: Mark Burnett; webappsec@securityfocus.com
Subject: RE: Article - A solution to phishing
Email authentication to prevent spoofing of email addresses will solve
85% of phishing attacks in their current form. At the Anti-Phishing
Working Group we recommend a two-step adoption of SenderID/SPF and
then email signing (most likely with Yahoo's Domain Keys or an IIM
derivative). See more about this at
http://truste.org/about/authentication.php
Mark, you point out that authenticating a website to a consumer is
necessary. www.passmarksecurity.com has an interesting image-based
approach that requires no software or hardware on the end user
machine.
There are also a lot of things that can be done on the application
security side to detect and reduce phishing. These include:
- preventing cross-site scripting
- detecting load spikes
- preventing image referrals
- detecting NDN bounce floods
- detecting account takeovers
- detecting phishing site testing prior to attack launch
- application forensics
Dave
Night job: Chairman, Anti-Phishing Working Group. www.antiphishing.org
Day job: Sr. VP, Teros. www.teros.com
