By Brandioch Conner
Here’s a security concept for everyone: “if you can’t do it
securely, then don’t do it at all.”
This particularly applies when it would be far more “convenient”
to do it in an insecure fashion. I’m not talking convenience here,
I’m talking security. So, how this applies to phishing is, don’t
use email to send links or account information. Some sites are sort
of getting around to this. One such is eBay. Now eBay will include
a copy of all legitimate correspondence they send you in your email
account at eBay.
Of course, the problem is if someone can match their website
close enough to fool you into entering you eBay username/password
on their server and do a man-in-the-middle attack on your account
(and including their own phishing email in what you see) you’re
still 100% compromised. And all that takes is time and skill to set
up.
Given the limits of email right now (including SPF and such), it
is impossible for the average user to know whether or not a
specific email is legitimate or not. Sure, www.ebay.com is easy to
verify, but is www.myebaysecurity.com also legitimate? Should I
click on the enclosed link? SPF, rDNS, and everything else can
confirm that that IP address is legitimately assigned to that
name.
So, the easiest solution would be to not send email with links.
Yes, I am aware that this will mean the end of the cute HTML email
ads that you send/receive. That’s the part about “if you can’t do
it securely then don’t do it at all.” There’s no use in crying
about what you can’t do if you can’t do what you want to do in a
secure fashion.
It’s 2005 and the technology has advanced enough for any
financial site (that means any site that involves money being
exchanged) to run its own web-email-type system. They wouldn’t even
need it to be SMTP-capable. It would only be used for outside
people reading their email from that business and sending
email to employees inside that business and for employees
at that business to send/receive email from the clients connected
to it.
This isn’t to say that you’d have to check that email account
all the time to see if you have email. Again, this is 2005. We have
all kinds of means of alerting people when they need to check
something. We can send a text message to their pager or cell phone,
we can leave a voice message on their pager, cell phone or home
phone. It would even be possible to send a text only email
without any links telling them that they have email at
such-and-such bank/auction site/whereever and that they should go
there to check it. Since they should already know the web site name
(they have used it before, right?) they shouldn’t need to have it
spelled out for them in the email.
It is economical for a bank to have a computer call phones and
leave voice messages if you need to contact the bank (they already
do this) but it is not economical for the phishers to do
that (even if they’re running skype or whatever). And it gets even
easier if the bank (or whatever) allows you to choose the text
message to be sent to your pager/cell phone.
The best part is that this would not require 51%+ of
the email servers to be upgraded or modified or anything else. For
this to work for a specific bank/site it would only require that
they change. And the technology is 100% available (and Open Source)
today.
It should be noted that this does not in any way describe any
method for securing financial transactions done over the Web. This
is just a method to kill phishing attempts and the losses
associated with successful compromises.