Without getting in a technical debate - I don't think any technical
solutions exists for the social problem that we have. That is, it does
not matter what solutions are in place, if users are willing to give out
personal information without thinking of the context they are giving it
then there isn't much hope.
For example, for the phishing attempts I have seen, web sites are used
to trick the user that an order has been cancelled or some sort of
process is on hold. To release the order for delivery, or to correct
information, the user is asked to enter in information.
Now, why would a web site that sells goods and services ask for my Bank
account PIN? Why would I enter in my SSN to a site that does not need
it, or to a site I have never visited? Why would I give out my mother's
maiden name?
There are two problems I see that need to be corrected:
(1) Users give out too much personal information without good
justification. Users should be educated in giving out information.
(2) Corporations need to stop residing on certain data elements for
authentication. Why on earth do financial and health institutions ask
for the last 4 digits of an SSN - when the last for digits is more ready
available than the full number. The logic just doesn't make sense.
The three simple concepts, education, awareness and better use of data
will do more to prevent phishing than an expensive security mechanism.
Obviously, there may be some phishing scams that involve, for example,
bank web sites etc. But if banks went on record to state they would
never solicit information using that medium, we simple just communicate
that to the population.
<End Rant>
Cheers,
Richard
