How to Stop Phishing in One Easy StepOct 07, 2005, 01:00 (2 Talkback[s])
(Other stories by Brandioch Conner)
By Brandioch Conner
Here's a security concept for everyone: "if you can't do it securely, then don't do it at all."
This particularly applies when it would be far more "convenient" to do it in an insecure fashion. I'm not talking convenience here, I'm talking security. So, how this applies to phishing is, don't use email to send links or account information. Some sites are sort of getting around to this. One such is eBay. Now eBay will include a copy of all legitimate correspondence they send you in your email account at eBay.
Of course, the problem is if someone can match their website close enough to fool you into entering you eBay username/password on their server and do a man-in-the-middle attack on your account (and including their own phishing email in what you see) you're still 100% compromised. And all that takes is time and skill to set up.
Given the limits of email right now (including SPF and such), it is impossible for the average user to know whether or not a specific email is legitimate or not. Sure, www.ebay.com is easy to verify, but is www.myebaysecurity.com also legitimate? Should I click on the enclosed link? SPF, rDNS, and everything else can confirm that that IP address is legitimately assigned to that name.
So, the easiest solution would be to not send email with links. Yes, I am aware that this will mean the end of the cute HTML email ads that you send/receive. That's the part about "if you can't do it securely then don't do it at all." There's no use in crying about what you can't do if you can't do what you want to do in a secure fashion.
It's 2005 and the technology has advanced enough for any financial site (that means any site that involves money being exchanged) to run its own web-email-type system. They wouldn't even need it to be SMTP-capable. It would only be used for outside people reading their email from that business and sending email to employees inside that business and for employees at that business to send/receive email from the clients connected to it.
This isn't to say that you'd have to check that email account all the time to see if you have email. Again, this is 2005. We have all kinds of means of alerting people when they need to check something. We can send a text message to their pager or cell phone, we can leave a voice message on their pager, cell phone or home phone. It would even be possible to send a text only email without any links telling them that they have email at such-and-such bank/auction site/whereever and that they should go there to check it. Since they should already know the web site name (they have used it before, right?) they shouldn't need to have it spelled out for them in the email.
It is economical for a bank to have a computer call phones and leave voice messages if you need to contact the bank (they already do this) but it is not economical for the phishers to do that (even if they're running skype or whatever). And it gets even easier if the bank (or whatever) allows you to choose the text message to be sent to your pager/cell phone.
The best part is that this would not require 51%+ of the email servers to be upgraded or modified or anything else. For this to work for a specific bank/site it would only require that they change. And the technology is 100% available (and Open Source) today.
It should be noted that this does not in any way describe any method for securing financial transactions done over the Web. This is just a method to kill phishing attempts and the losses associated with successful compromises.