On 2/12/2012 1:19 PM, Rich Kulawiec wrote:
On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
All recent email clients I've come across give you anti-phishing warnings in one way or another if the URL does not match the actual link.
Which is great, but doesn't help you if the URL and the link are:
http://firstnationalbank.example.com
because a significant number of users will only see "firstnationalbank" and ".com".
That's why I recommend that banks et.al. don't put *any* URLs in their messages. If they make this an explicit policy and pound it into the heads of their customers that ANY message containing a URL is not from them, and that they should always use their bookmarks to get to the bank's site, then they're training their customers to be phish-resistant.
Yes, very true. I unfortunately see average people fall for these types of things all the time. Ultimately, the issue is getting the end user educated. However, I've also seen users get a message drilled into their heads for 10 years that an email admin will never ask for their passwords, yet they eagerly give them away to some random scammer that says they need their password or their account will be shut off, signed by "the email team"... and suddenly their email account is spewing spam from random IP addresses all over the net. <sigh> The weakest link is ultimately the person behind the device. We're attempting to make technology fix stupid, which is often harder for the people designing the technology. They would never think sticking their hand down a garbage disposal is a good idea, but there are people out there that do this. :( Likewise, a person wouldn't click on a link if it's blatantly obvious the link doesn't point to the real web site, right? :) Obviously no. To be very effective, security design needs to assume the biggest threat to the security of anything is the person on the good side of the fence who will open the gate. Lately, I get calls on a weekly basis from people trying to steal my credit card from me. If I have time I like to have fun with them, eating up their time so they have less of it to scam people who don't know any better. (Look on Youtube for people doing this. It's hilarious). These scammers have been around for at least 5 years or longer and nobody has yet fixed this problem, which is also astounding. As a result, customers who don't recognize the scam get their credit card whacked with random charges because they didn't think anything was wrong with giving away their credit card info and social security number to a random stranger who calls them and claims to be able to lower their interest rate. So at the same time making people aware the real emails will not contain links, banks should be doing a better job telling people not to give away their credit card info to anyone in a situation similar to this. It should be better handled by all banks and companies in genereal as a global security education process. I don't believe it should be limited just to email or Internet related usage of the bank or company's resources. I'm probably not giving people enough credit, but social engineering is likely the most effective hacking technique that exists because it targets the weakest link and often works. That's currently the easiest thing to target because security has improved so much over the years on the technological end. I'm not sure about others, but the most prevalent security threats I see today are vastly different than the ones from ten to fifteen years prior. -Vinny