[LINK] PayPal to combat phishing with key fobs
Jan Whitaker
jwhit at melbpc.org.au
Sun Jan 14 16:14:38 AEDT 2007
At 03:08 PM 14/01/2007, Rick Welykochy wrote:
>My conclusion is that without an independent authentication path (i.e. not
>web based) phishing will continue to be a successful way to divest the
>uninformed consumer of their savings. Give me any web-only authentication
>system and I can show you how a phisher can duplicate that system to fool
>all but the expert user - they just have to clone and corrupt the original
>technology, which is the easy part. Harder is the social engineering. But
>I think they are getting better at it. It's all in the wording they chose.
A few ideas come to mind.
1. There is also the psychology of the consumer with regard to
interacting with any site. The power relationship lies with the
'bank', so the individual will? might? look at the situation only
from their need to convince the remote site they are who they say
they are as the customer. The thought that the remote site would be
required to provide the same assurance in reverse is less likely to
occur to the individual. After all, the individual initiated the
contact, not the other way around. The customer may also see that
'power' ratio as a good thing because it would be interpreted as a
stronger security from other who may wish to 'break into' their account.
2. nonces and key fobs are seen to the general public as another
'black magic' technology. Wouldn't have a clue how it works. I don't!
For example, is it necessary for there to be some relationship to
location for a PayPal fob to work accurately? Are they international
or only local? Don't bother explaining, I really wouldn't care. The
'trust the issuer' aspect comes into play. I have one for an old
Westpac account. I closed that account. Is it of any value any more?
is it only attached to the account I used to have and for which I
never used it because it was only required for large dollar amounts?
3. My email program, Eudora, alerts me when I hover on an embedded
link if the visible URL is different from the underlying URL to which
the user will be sent. It's interesting how many times the phishing
emails include legitimate links to things like security and privacy
areas from the supposed sender, but redirects to sites in the actual
spoof intention like changing a password or updating details.
4. What is the real value of certificates? I've received several
alerts where the certificate has expired, do I want to go ahead. I
generally do because the page I'm going to access is something I
anticipate to be only flat code, nothing that weird. But in terms of
this discussion, is there any place for a rigorous implementation of
third party certification of site identity and security? When I
started seeing the expiry problem, I figured it may have gone past
its use date in the security space.
Jan
Jan Whitaker
JLWhitaker Associates, Melbourne Victoria
jwhit at janwhitaker.com
business: http://www.janwhitaker.com
personal: http://www.janwhitaker.com/personal/
commentary: http://janwhitaker.com/jansblog/
'Seed planting is often the most important step. Without the seed,
there is no plant.' - JW, April 2005
_ __________________ _
More information about the Link
mailing list