[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] How would SPF or Sender ID stopped this attack

To: asrg at ietf.org
Subject: Re: [Asrg] How would SPF or Sender ID stopped this attack
From: Seth Breidbart <sethb at panix.com>
Date: Fri, 30 Jul 2004 22:56:06 -0400 (EDT)
In-reply-to: <16650.65099.219613.296523@world.std.com> (message from Barry Shein on Fri, 30 Jul 2004 22:04:59 -0400)
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <019001c47682$bbaed600$3201a8c0@rasta> <7DF9D69B5FC4BB449AEFA3B1CCF7BF3525FFA0@exchange.rdcim.com> <16650.54734.139542.144312@world.std.com> <200407302340.i6UNeQ417708@panix5.panix.com> <16650.65099.219613.296523@world.std.com>
Sender: asrg-bounces at ietf.org

Barry Shein <bzs at world.std.com> wrote:
> On July 30, 2004 at 19:40 sethb at panix.com (Seth Breidbart) wrote:
> > Barry Shein <bzs at world.std.com> wrote:
> > 
> > > I'd imagine the best that can be done against phishing would be
> > > something done at the website like you enter a unique username, not
> > > an acct or anything very interesting to a stranger, and the BANK
> > > (e.g.)  should come back with a piece of information set up
> > > previously. So I type in bzs in preparation to actually logging in
> > > and the website should respond with "HADDOCK" and then I proceed, if
> > > not, I'm suspicious.
> > 
> > What stops the phisher from passing your input to the bank and its
> > output back to you (that is, the classis man-in-the-middle attack)?
>
> A fine question, back to the drawing board. The bank only responding
> to that query via a secure connections could help which should be the
> case anyhow (yes I'm thinking out loud, but isn't that one of the
> design goals of secure web communications?)

Still not good enough: nothing stops the phisher from opening an https
connection to the bank.  The phisher can even get his own certificate
as "USBank-Security.com" so the sucker sees a "locked" connection.

If the victim is going to be a sucker, technological prevention just
doesn't work.

> But I suspect that sort of approach might yield better results than
> trying to clean up the email part of the con, for phishing
> specifically.

Combining all of them will help a little more than any one of them.

We need social solutions: "a few good hangings".

Seth

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] How would SPF or Sender ID stopped this attack
  - From: Barry Shein

References:
- Re: [Asrg] Re: Anti-spam laws do work, FYI. There's proof.
  - From: David Wall
- [Asrg] How would SPF or Sender ID stopped this attack
  - From: Bill McInnis
- Re: [Asrg] How would SPF or Sender ID stopped this attack
  - From: Barry Shein
- Re: [Asrg] How would SPF or Sender ID stopped this attack
  - From: Seth Breidbart
- Re: [Asrg] How would SPF or Sender ID stopped this attack
  - From: Barry Shein

Prev by Date: Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
Next by Date: Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
Previous by thread: Re: [Asrg] How would SPF or Sender ID stopped this attack
Next by thread: Re: [Asrg] How would SPF or Sender ID stopped this attack
Index(es):
- Date
- Thread