Re: [Asrg] where the message originated (was: DKIM role?) (SM)

[SM <sm at resistor.net>]

At 13:55 19-01-2009, Rich Kulawiec wrote:
> That's an excellent point.  In addition, I would prefer my bank to
> (a) not outsource their mail, (b) not send mail marked up with HTML
> (the phisher's best friend) and (c) not send mail which includes any
> URLs in the text.

The economy and specialization works in favor of (a) and marketing in 
favor of (b).

> ( About (c): If they never send any, they can never typo them.  Nor can I,
> when copying them from mail by hand or cut-and-pasting.  If I rely
> solely on the single URL I entered -- very carefully, by hand, once --
> then my chances of going to a typosquatted site drop considerably.
> An attacker would need to gain control of the place I've stored that
> URL, which would require gaining control of my computer, which would
> mean that there would be no need for them to bother sending me a phish,
> since they could just extract the URL/username/password triplet directly
> the next time I used it.

We commonly see URLs in emails which are different from the site the 
actual link points to.  We live in an age of convenience.  People 
find it easier to click on a URL than to copy and paste or type in 
the URL.  It doesn't require a leap of imagination to see how all 
this contributes to phishing.

It's difficult to counter (c) as business communication is centered 
around how to get people to a web site as it's seen as a low-cost and 
accessible medium to interact with the customer.

> Moreover, if the bank trained all their customers in this -- just like
> they [try to] train them that they will never, ever ask for a password
> -- then they'd be training their customers to be phish-resistant,
> since they'd know that any message with a putative URL for the bank
> is a phish.  This in turn would discourage phishers, who would be presented
> with a reduced attack surface.  Maybe.  On a good day.  See Chris's comment

Customers may have been trained not to give out their password if 
they are asked (over the phone) but they are giving it out by logging 
into an web site.  If banks were to implement (c), then it does, as 
you put it, reduce the attack surface.

> about educating users and recall Marcus Ranum's advice on that very topic:
> "If it were going to work, it would have worked by now".  I concur that
> we need to attack this problem at the MTA and network layers, because
> by the time it gets to users, it's too late. )

Responding to Chris' comment, there isn't a feasible mechanism for 
forcing end users to be smarter.  Utilization of a technology should 
not be an IQ test.

Don't read all this as saying that I don't agree with your 
points.  It's more about whether we are taking the right approach to 
solve the problem.  I agree that each time the problem gets to the 
users, it's a disaster in waiting.  One of the issues in dealing with 
the problem at the MTA level is that we have to second guess the 
user's desires and we can get it wrong.

> But banks (and other financial institutions) don't do this.  It appears,
> if I can attempt to intuit their priorities from the methods and content
> of their email messages, that they are far more interested in marketing
> and assessing marketing effectiveness than they are in message privacy,
> security and integrity.  I think if it were otherwise, then, among
> other things, PKI would have long since become widely deployed, and
> they wouldn't actively be training their customers to click on links
> in mail messages.

You hit the nail on the head there.

Regards,
-sm 

_______________________________________________
Asrg mailing list
Asrg at irtf.org
http://www.irtf.org/mailman/listinfo/asrg