[WEB SECURITY] what if phishing went away?

RSnake rsnake at shocking.com
Wed Jul 26 11:53:26 EDT 2006


Instead of spamming the list, I wrote my thoughts (reactions to the
comments made here) on the blog:

http://ha.ckers.org/blog/20060726/phishing-domainkeys-laundering-oh-my/

-RSnake
http://ha.ckers.org/
http://ha.ckers.org/xss.html
http://ha.ckers.org/blog/feed/

On Wed, 26 Jul 2006, Andre Maisonneuve wrote:

> in order for phishing to be profitable, it has to target individuals or organizations where information or money can be stolen.
> It seems odd that if such individuals or organizations are at serious risk of being stolen information or funds, they still use un-secured, browser-based mechanism to exchange data.
> Good products do exist to prevent phising and it seems to me that it is only prudent management to implement them for any sensitive information exchanges. With such products, both  the sender and the receiver of data are authenticated and they cannot be impersonalized by third parties. Furthermore, the applications they use for these exchanges are also authenticated and cannot be impresonalized.
> Using already available secure message and file exchange systems in a systematic manner will go a long way to protect information and make data exchanges imune to phishing attacks.
> Andre
>
>
> ________________________________
>
> From: Matt Fisher [mailto:mfisher at spidynamics.com]
> Sent: Wed 26/07/2006 1:49 AM
> To: Brian Eaton; Web Security
> Subject: RE: [WEB SECURITY] what if phishing went away?
>
>
>
> I don't know .... I'd imagine that the majority of phishing is backed by
> just few crime syndicates who are probably pretty well organized and too
> agile to really delay too much with technology.  If it were hundreds or
> thousands of independents then you could have a decent "wash out" effect
> with tech fixes, but I think that the relatively centralized command and
> control (this is an assumption) makes it easier to hit them in the
> pocketbook (ie the laundering infrastructure) than elsewhere.
>
>
> -----Original Message-----
> From: Brian Eaton [mailto:eaton.lists at gmail.com]
> Sent: Tuesday, July 25, 2006 8:47 PM
> To: Web Security
> Subject: [WEB SECURITY] what if phishing went away?
>
> I've been mulling over one of RSnake's recent blog entries:
>
> http://ha.ckers.org/blog/20060724/firefox-20-anti-phishing-filter/
>
> If browser-based antiphishing filters become widespread, will phishing
> stop being profitable? Or will there be more clever phishing
> techniques that evade the blacklists and the heuristics?  (How long
> before the blacklists get DDOSed?)
>
> And if the browser based filters make phishing an uneconomical scam,
> will that make technologies like passmark, dynamic security skins, and
> transactional authentication obsolete?
>
> It seems like blacklists have an important role to play, but they
> won't do much to prevent small, targeted, phishing-style attacks.  I'd
> like to see improvements in web authentication UIs regardless.  I
> could imagine a scenario where the major phishing attacks stop being
> an issue because of blacklists.  At that point, a lot of the economic
> incentive for improving web site authentication via other technologies
> would vanish.
>
> Admittedly, a world where phishing is too minor a problem to worry
> about would be a nice problem to have.
>
> Regards,
> Brian
>
> ------------------------------------------------------------------------
> ----
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list