Wednesday, November 03, 2004
Covert phishing
Even with your wits about you, it might be impossible to avoid the phishers, especially when they employ such devious tricks as this one. A script embedded in an innocent looking email lies dormat until the next time you click your bookmark for your online bank, when it then re-directs you to a fraudulent site. I'm not sure what defence there could be against this - there's no point when you as the user are failing to notice an attack. What this really makes me think is that it is going to become absolutely essential that a website can identify itself as being the genuine article, and that users can be re-assured that what they see is what they want. There are 2 aspects to this. Firstly, we need better security certificate technologies in place so that websites can properly identify themselves, and secondly we need to know how best to represent this to users to gain their trust. But therein lies the problem: when we find out how to get users to trust legitimate sites, the fraudulent ones will start using the same techniques... if I had the answer to this I'm sure I'd be rich by now.
Even with your wits about you, it might be impossible to avoid the phishers, especially when they employ such devious tricks as this one. A script embedded in an innocent looking email lies dormat until the next time you click your bookmark for your online bank, when it then re-directs you to a fraudulent site. I'm not sure what defence there could be against this - there's no point when you as the user are failing to notice an attack. What this really makes me think is that it is going to become absolutely essential that a website can identify itself as being the genuine article, and that users can be re-assured that what they see is what they want. There are 2 aspects to this. Firstly, we need better security certificate technologies in place so that websites can properly identify themselves, and secondly we need to know how best to represent this to users to gain their trust. But therein lies the problem: when we find out how to get users to trust legitimate sites, the fraudulent ones will start using the same techniques... if I had the answer to this I'm sure I'd be rich by now.
Comments:
If you're still allowing your emails to excecute scripts then you really are asking for trouble, the simple defense against this problem is simply to disbale scripts running from within emails - why in any case would anyone ever want an email to execute a script if?
Post a Comment
(c) 2003-2005 Russell Beale
Atom
RSS