[WEB SECURITY] what if phishing went away?

Andre Maisonneuve Andre.Maisonneuve at validian.com
Wed Jul 26 09:15:17 EDT 2006


in order for phishing to be profitable, it has to target individuals or organizations where information or money can be stolen.
It seems odd that if such individuals or organizations are at serious risk of being stolen information or funds, they still use un-secured, browser-based mechanism to exchange data.
Good products do exist to prevent phising and it seems to me that it is only prudent management to implement them for any sensitive information exchanges. With such products, both  the sender and the receiver of data are authenticated and they cannot be impersonalized by third parties. Furthermore, the applications they use for these exchanges are also authenticated and cannot be impresonalized.
Using already available secure message and file exchange systems in a systematic manner will go a long way to protect information and make data exchanges imune to phishing attacks.
Andre
 

________________________________

From: Matt Fisher [mailto:mfisher at spidynamics.com]
Sent: Wed 26/07/2006 1:49 AM
To: Brian Eaton; Web Security
Subject: RE: [WEB SECURITY] what if phishing went away?



I don't know .... I'd imagine that the majority of phishing is backed by
just few crime syndicates who are probably pretty well organized and too
agile to really delay too much with technology.  If it were hundreds or
thousands of independents then you could have a decent "wash out" effect
with tech fixes, but I think that the relatively centralized command and
control (this is an assumption) makes it easier to hit them in the
pocketbook (ie the laundering infrastructure) than elsewhere. 


-----Original Message-----
From: Brian Eaton [mailto:eaton.lists at gmail.com]
Sent: Tuesday, July 25, 2006 8:47 PM
To: Web Security
Subject: [WEB SECURITY] what if phishing went away?

I've been mulling over one of RSnake's recent blog entries:

http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/

If browser-based antiphishing filters become widespread, will phishing
stop being profitable? Or will there be more clever phishing
techniques that evade the blacklists and the heuristics?  (How long
before the blacklists get DDOSed?)

And if the browser based filters make phishing an uneconomical scam,
will that make technologies like passmark, dynamic security skins, and
transactional authentication obsolete?

It seems like blacklists have an important role to play, but they
won't do much to prevent small, targeted, phishing-style attacks.  I'd
like to see improvements in web authentication UIs regardless.  I
could imagine a scenario where the major phishing attacks stop being
an issue because of blacklists.  At that point, a lot of the economic
incentive for improving web site authentication via other technologies
would vanish.

Admittedly, a world where phishing is too minor a problem to worry
about would be a nice problem to have.

Regards,
Brian

------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060726/f7429f6f/attachment.html>


More information about the websecurity mailing list