[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Fwd: [Full-disclosure] [HV-PAPER] Anti-Phishing Tips You Should
From:       "Anonymous Squirrel" <anonymous.squirrel () gmail ! com>
Date:       2006-03-31 23:30:46
Message-ID: 7f26752b0603311530k21537981h8be204ff13447bbb () mail ! gmail ! com
[Download RAW message or body]

On 3/31/06, Mike Nice <niceman@att.net> wrote:
>
> > http://www.hexview.com/sdp/node/24
> >
> > (Show this article to your computer-illiterate spouse to confuse him/her
> > even more :)
>
>    Better yet, do the right thing and implement Tip #4:  Go to the secure
> SSL login page of your bank.  Verify the URL.   Verify that the SSL
> certificate was issued to your bank by examining its properties.  Now
> bookmark the SSL page.  Tell your computer-illiterate spouse to *always* go
> to the bank login via favorites with the page you just bookmarked.  If there
> are any popup warnings from the browser [such as from certificate name
> mismatch], do no log in.   This catches all variations of Pharming,
> man-in-the-middle, and type-alike sites.   It offers no protection from
> local trojans/keyloggers.
>

I'll agree that Step #4 protects against one variant of the phish
attack.  But there are so many others:

1) Any different social engineering besides "login to your bank
account".  For example, "Chase will pay you $20 to fill out a short
survey!"  (of course, after filling out the survey you must provide
your debit card number or account login information to get the $20).
Another example is spoofing a retailer's site to get debit and credit
card information, or spoofing the IRS.

2) Any attack against the user's computer.  Keyloggers, software that
listens for an authenticated connection than inserts transactions,
host file alterations.

3) Any attack that spoofs the SSL cert box (The Codefish web site had
a good example...what ever happened to Codefish, anyway?...pharming,
MITM, and type-alike can fit in here, too)

Honestly, the only way to defeat phishing is to improve computer
configurations and managment, to educate users, and to allow only
smart users near the Internet.  None of those is likely to happen, so
we'll have to deal with phish forever.  That's just like in the
physical world.  After thousands of years, we still have people
performing con jobs.

-- Although I've found many nuts, I'm back to being anonymous,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]