[LINK] Phishers are getting lazy
devenish at guild.uwa.edu.au
Tue Feb 17 15:01:39 EST 2004
In message <9BD4AE8C2EB1D311982700508BA2498904CBD289 at EXCHANGE_AU>
on Tue, Feb 17, 2004 at 03:23:47PM +1000, Chirgwin, Richard wrote:
> The abuse of Port 80 is another manifestation of the abuse of the commons,
Would you propose prohibition of HTTP instead in e-mail? Would plain
text be free of trouble? (No, people could still copy-and-paste
> (Is there any way to refuse a request at the Webserver for a
> connection which is trying to download just one element of the page?
> I guess not...)
What prevents a phisher from copying-and-pasting a logo directly into
a fraudulent HTML e-mail, thus avoiding the real website altogether?
Copyright law? (Good luck!)
> Mind you, it highlights the abuse of Port 80 by a Certain Major
> International Software Developer. There is no good reason why Outlook should
> be >able< to try and download stuff without any user action. Even images.
Imagine a 300kB HTML advertisement (including graphics). If the graphics
are accessed via HTTP, then the SMTP message itself may only be 20kB. If
you choose not to view the message, you've saved the extra 280kB. I'm no
fan of HTML e-mail, but some people just can't help themselves.
> For the sake of a couple of feature trinkets, we get cargo-culted into
> bad security practise, and into behaviours and technologies which
> encourage the pollution of the Internet in general.
Here at Uni, a lot of students have webmail accounts (often held with
Eastern States or overseas providers) that are, by their very nature,
based in HTML. These encourage an expectation of HTML-based content
(even with very large pictures, Flash, etc.). Even if the banks should
be "more responsible", many other businesses are eager to promote their
brands or encourage customers through HTML-based encouragement.
With regards to Outlook's ability to fetch hyperlinked content by
default: I can imagine that a lot of phishing victims would be inclined
to enable HTTP even is it was off by default. (Note that this occurs in
corporate contexts -- via the use of HTML for styled text in Internet
e-mail, instead of non-hyperlinked text/enriched and such.) And if you
look at products like Eudora...the "adware" versions presumably need a
web connection to download ads in the first place.
Do you think there could be successful ways of providing free(-ish) and
equitable(-ish) access to e-mail while at the same time disabling HTTP?
> I've had, by the way, two phishing messages today,
I wonder why you get so few.
> I truly believe it's time for the banks to reverse their interest
> in convenience, and instead phase in purpose-built apps which
> don't launch in a browser.
Hold on...that's a very significant loss of convenience. Although the
web was not designed as a secure commerce and voting platform, it gets
used as such. While you might successfully legislate against the latter,
do you think society is willing to accept limits on the former? Also,
what programming technologies do you think are appropriate for these
purpose- built apps? How will the "man on the street" react to "the
'bad' old days"? In the medium term, would this simply encourage a new
wave of attempts to use web browsers?
Hopefully, you will not be surprised to find that customers, and not
just enterprises, can be hostile towards the things that are safest
> At least if they only accept connections from an application
> presenting the right signature, it would be a start?
Do you have ideas about how banks could delivery software to users via
the Internet in a way that would not be open to phishing? (That is, can
banks do something "secure" that cannot be mimicked by something that is
"illegitimate"?) If not, all that custom software will again need to be
delivered via fixed media (hand-to-hand contact?). Yet, online gaming/
entertainment encourages the "installation" of software from the
Internet, and users can develop that expectation. Banks may need to be
more responsible than that, but I suspect neither customers nor
entrepreneurs will readily tolerate the abolition of a technology
without a well-marketed replacement.
More information about the Link