[WEB SECURITY] what if phishing went away?

Matt Fisher mfisher at spidynamics.com
Wed Jul 26 01:49:01 EDT 2006


I don't know .... I'd imagine that the majority of phishing is backed by
just few crime syndicates who are probably pretty well organized and too
agile to really delay too much with technology.  If it were hundreds or
thousands of independents then you could have a decent "wash out" effect
with tech fixes, but I think that the relatively centralized command and
control (this is an assumption) makes it easier to hit them in the
pocketbook (ie the laundering infrastructure) than elsewhere.  


-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com] 
Sent: Tuesday, July 25, 2006 8:47 PM
To: Web Security
Subject: [WEB SECURITY] what if phishing went away?

I've been mulling over one of RSnake's recent blog entries:

http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/

If browser-based antiphishing filters become widespread, will phishing
stop being profitable? Or will there be more clever phishing
techniques that evade the blacklists and the heuristics?  (How long
before the blacklists get DDOSed?)

And if the browser based filters make phishing an uneconomical scam,
will that make technologies like passmark, dynamic security skins, and
transactional authentication obsolete?

It seems like blacklists have an important role to play, but they
won't do much to prevent small, targeted, phishing-style attacks.  I'd
like to see improvements in web authentication UIs regardless.  I
could imagine a scenario where the major phishing attacks stop being
an issue because of blacklists.  At that point, a lot of the economic
incentive for improving web site authentication via other technologies
would vanish.

Admittedly, a world where phishing is too minor a problem to worry
about would be a nice problem to have.

Regards,
Brian

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list