Phishing Site Using Valid SSL Certificates 368
UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."
un-possible! (Score:5, Insightful)
Seriously. I remember in the early 90s, tv ads for banks that ended with "...and remember, our staff will never ask for your credit card number over the phone." I think people *eventually* got the message on that one. How long will it take online? Remember, unsolicited email that links to a website ready to take your credit card number is bullshit, mom.
It's just a numbers game (Score:5, Insightful)
You mean people would never give out credit card numbers, when asked over the phone? I think you place too much faith in humanity.
Most people would agree it's stupid, and fewer people will behave stupid after an education campaign (or after being bitten in the ass). Scam artists may not bother anymore with a certain method. But not because it wouldn't work; but because they've moved onto easier methods, methods that (these days) give them more return for their effort.
For the same reason, e-mails with attachments like "Anna Kournikova.jpg.pif" will keep getting clicked on. You may think it's silly, but there's a new sucker born every day.Re:un-possible! (Score:5, Interesting)
They do this all the time. Just last week, Discover called and left a message on my machine "This is the security department, we have a question about the activity on your account, please call 800-###-#### to ensure continued service." When I called that number, they started off saying "Please tell me your card number, your mother's maiden name, etc." all to "confirm my identity" I of course refused, hung up, and called the 800 number printed on my credit card. They were understanding, but never acknowledged that they were essentially asking me to give all my personal information to a random person who called my home phone number.
Re:un-possible! (Score:5, Interesting)
I asked the women on the other hand what was that about - why I need to give this info?
She told me she need 'security check - blabla'
I asked why they asked me to call and where I was exactly she just told me the name of the bank (thanks,easy) but she needed the security check to give the reason of the call (best excuse ever)...
I hang up - ( I start to sweat ) - I went straight to the website to find the number I just called in the bank public phonebook but nada
I called the bank, this time I have to give the security ID again ( after the previous experience, even if you pick the number yourself in your monthly statement, you really feel uneasy )
I asked the girl what was this number I just called, and what I'm suppose to do know
Hopefuly the girl ring herself to the mysterious number and found out that it was only a number setup for the billing departement ( yeah I missed a payment
They had a valid reason to contact me, I had an urgent action to take but why in hell do they use the same trick the spammers use?
They use an unknown number not even known from the bank employees ?
If I did as we are told in the security leaflet given by the very same bank, I should have called the fraud departement of the bank to report the phishing attempt instead of ringing back!
Re:un-possible! (Score:5, Interesting)
SiteKey: Mother's maiden name, for your bank? (Score:3, Interesting)
Bank of America has a system like this, called SiteKey. If you click on a link and it doesn't go through a verification routine called SiteKey, you know you're not at the real web site of the bank.
There are several issues with this system, however. The biggest one seems to be t
Re:un-possible! (Score:2)
I recently read about a credit card scam operating here at the moment. You'll get a call from the bank / card company asking to do a standard security check. The catch is they already know your card details from another source (Skimmed at a restaurant or whatever), so they'll quote you the last 4 digits of your card's number as is standard practice o
Re:Public school system (Score:2)
But to get back on-topic, "the oldest trick in the book" only lasts so long before it has to be retired. This is just the next logical evolution in social engineering methodology. And it's not nice. I hope something will come along soon that will put a damper on it.
And hey, isn't the CA supposed to revoke certificates used for crime?
Re:Public school system (Score:2, Interesting)
-matthew
Re:Public school system (Score:5, Interesting)
Yes. At least IE does. It slows things down if you're on an isolated network, so it's one of the first things I turn off on those machines.
Re:Public school system (Score:5, Insightful)
Firefox does (Score:5, Informative)
Check here for settings. [mozilla.org]
has to be retired-- a rebuttal (Score:5, Interesting)
http://www.historybuff.com/library/refbarnum.html [historybuff.com]
Re:This bears repeating - (Score:5, Insightful)
What's going on with this phishing site is that they have a bogus domain name, which unfortunately is good enough to fool people. If you know know that your bank's website is citibank.com, not secure-citibank-website.com or something like that, you will never fall prey to this. You're wrong that a check would not have done any good.
And a "self-signed" cert is useless because a man-in-the-middle could issue his own "self-signed" cert and just replay traffic between the client and your server.
What? (Score:5, Insightful)
Sophisticated Phishing (Score:5, Interesting)
Back then, it was hard to imagine people getting fooled by the crude "Send me yore passwerd" level of "attacks" -- and yet people fell victim to it just the same. These days, they're polished enough that you basically have to assume any email that claims to be from your bank is forged, then examine it and try to prove otherwise.
Re:Sophisticated Phishing (Score:5, Informative)
Re:Sophisticated Phishing (Score:2)
Hell even my parents struggle with that one.
Hell even my sister struggles with that one.
Re:Sophisticated Phishing (Score:4, Insightful)
Well, yeah, why wouldn't you assume that? In fact, there's no need to examine it to try to prove otherwise, just go to your online banking site (which, it doesn't take a genius to bookmark when you sign up for it), if the bank wanted to tell you something, you'll be notified there too.
What, are you saying I should also assume that the letters I get telling me I won 10 million dollars are not real either?
In other news - Stupid People Still Stupid (Score:4, Funny)
Nice try, but I can tell you're trolling (Score:5, Funny)
Clues for phishers from Geotrust (Score:4, Funny)
If they rely on misspellings, they'll only catch the dumb phishers. They're generally the ones that don't catch a lot of people anyway, or at least not anybody who doesn't deserve to be scammed.
Re:Clues for phishers from Geotrust (Score:5, Insightful)
You know, I hate hearing that anybody deserves the financial ruin that results from falling for one of these scams.
Remember, the more that geeks put on the "you're stupid so you deserve what you get" attitude, the fewer folks who are less-computer-savvy will buy computers for fear of being taken for a ride (and knowing no one will help them.)
This, in turn, results in less money floating around in the tech sector, which, in turn, results in less money being invested to develop convieniences upon which we have come to rely - such as online banking.
Which, of course, results in less money in the pocket of the geeks that were so callous to begin with. Remember - we NEED the end user just as much as the end user needs us.
Re:Clues for phishers from Geotrust (Score:3, Interesting)
This is why TFA goes on to say "[...] the technology did not flag the request because there was
Re:Clues for phishers from Geotrust (Score:5, Insightful)
Unfortunately their domain names are a soup of common names and it's impossible to remember. With common names, a small alteration of the site and that's all you need to confuse some folks.
The best phishing URL I've ever seen was one that was www.amazon.com.exec-obidos.com. If anyone remembers, previously Amazon URLs always had an exec-obidos in their path when the link lead to a product. Even I had to blink a few times before I realized it was a phishing scam. (All the links went to a working Amazon section).
Re:Clues for phishers from Geotrust (Score:5, Informative)
Signed SSL certs worthless (Score:5, Insightful)
Re:Signed SSL certs worthless (Score:2)
Well, I guess there is a market for a more trusted group of people that issue identities on the internet. These are the DNS registrars and the certificate authorities.
Think about paying for a DNS server that did not resolve any illegal hosts? I would, and recommend anybody else to do the same.
Re:Signed SSL certs worthless (Score:4, Insightful)
So, your point is? (Score:2)
While not perfect, I'd argue that the current system works pretty darn well. Obviously, improvements in due diligence are needed but on the whole, I'd wager there is fairly low SSL cert fraud out there. I say that
Re:So, your point is? (Score:5, Informative)
Um, no. [infoworld.com]
Re:So, your point is? (Score:2)
Do nothing. Let folks use the normal societal methods for authenticating identity. Use SSL for what its good for, end to end encryption with a party you haven't talked to before. Skip the rest of it or reduce it so something like domain name-only authentication where SSL is understood to only authenticate that you really are talking to the server with that name.
I say that because this is the first incident ever being reported where an SSL cert was obtained illegitimately.
Wow. Wha
Re:So, your point is? (Score:4, Informative)
Nevermind the fact that if noone is buying certs, theres no finanical pressure to cause them to make any compromises for those willing to pay the right price.
Re:So, your point is? (Score:4, Informative)
Re:Signed SSL certs worthless (Score:2)
This fits here too, but was originally my argument about a recent announcement that Windows Vista will require all x64 drivers to be signed, which will cost small time devel
Depends (Score:2)
(If someone is using a weak algorithm and a weak key, especially if the key is not random but based on knowable information, then it may be possible for someone with sufficient computin
Re:Signed SSL certs worthless (Score:2)
Proving once again the relative lack of worth of requiring SSL certificates to be signed.
Well, I think relative is the key word here. What a signed SSL cert does protect against is a man-in-the-middle attack. That is, when I connect to https://secure.newegg.com/ [newegg.com] and negotiate an encryption session, and don't get a "this certificate not recognized" error, I can be assured that I've actually negotiated with newegg.com, and not some other guy that's sitting in between me and newegg.com and has given me HIS ce
Re:Signed SSL certs worthless (Score:2)
That's why I don't click html links... (Score:5, Insightful)
Re:That's why I don't click html links... (Score:2)
I know exactly what you mean. Your situation is perfectly analogous to my eating habits -- I really don't like fish, therefore I only eat italian food.
Re:That's why I don't click html links... (Score:5, Insightful)
I hate to break it to you, but the vast majority of computer users would not be willing to use a terminal-based email system. Most are afraid of using terminals period. I'm glad that you found something that works for you and can score you cool points on Slashdot, but I hope you weren't stating that as a recommendation. Links in email aren't necessarily A Bad Thing so rather than do away with them completely, it's better to fight the phishers instead of the links.
Re:That's why I don't click html links... (Score:2, Insightful)
You know, that's a bunch of bull... users are capable of doing it if they weren't ignorant. 10 years ago when GUI mail readers barely existed, I knew dozens of fellow students that would telnet into a UNIX box and read their mail with pine or elm (and later mutt) without any problem at all. Usually their history would show them alternating between pine and logging into a MUD to g
Re:That's why I don't click html links... (Score:3, Insightful)
Okay, what YOU say is a bunch of bull. 10 years ago you would have used Mosaic to browse the web. Maybe Netscape 1. You would have been using a 150 mHz (tops) computer from a dial up modem.
You were perfectly capable of de
Re:That's why I don't click html links... (Score:3, Interesting)
Er...uh...well...maybe, because we're not, and the OP never said we should be. The OP was only listing his own preferred newsclient, and not insisting that anybody else in the world use it. Just because you think GUI mail clients that parse html, automatically open attachments and run executables are the greatest thing since punched cards doesn't mean everybody else has to use them.
Re:That's why I don't click html links... (Score:4, Funny)
Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!
Re:That's why I don't click html links... (Score:4, Interesting)
Congratulations! You've earned extra Slashdot Coolness Points for 1) slamming Windows; 2) insulting the average user; and 3) being blissfully unaware that most normal people actually prefer a GUI interface!
Perhaps, but more importantly, he offered a reminder that 1) the "Ease of Use" design of Windows and many Windows-based apps does encourage stupidity; 2) GUI apps, despite their added features, can often be inferior to terminal-based programs (in this particular case, even dangerous); and 3) terminal-based programs need not be difficult to use as ordinary people were once perfectly happy typing cryptic-looking commands on a bare screen.
I'd say each of those is reminders is valuable, and the distinctions made are important.
This isn't so different than refering to Windows-based viruses as worms as "computer viruses." Put another way, if everyone does indeed want clicky programs and text/html email as another poster suggested, it's perfectly appropriate that they have a clear understanding that any problems they encounter are mostly the result of their preferences. A few comparisons and a little background are always useful.
Re:That's why I don't click html links... (Score:2)
This phish could've been pulled off just as easily in plaintext.
Re:That's why I don't click html links... (Score:3, Insightful)
http://it.slashdot.org/comment [slashdot.org]
Revoke SSL cert? (Score:3)
Re:Revoke SSL cert? (Score:4, Interesting)
A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
Re:Revoke SSL cert? (Score:3, Interesting)
A revoked cert isn't the solution, the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process
Re:Revoke SSL cert? (Score:3, Interesting)
Sure, you may be speaking with a scumbag using strong encryption, but he's still a scumbag.
Re:Revoke SSL cert? (Score:5, Informative)
Re:Revoke SSL cert? (Score:3, Informative)
Err...sort of. The user would need a root update if the SSL vendor's root isn't already contained in the user's browser cache. If they didn't have the correct root, then the "valid" SSL cert would appear invalid to the browser because the cert couldn't be traced back down the chain.
To check for certificate revocation, you have to have you
Re:Revoke SSL cert? (Score:2, Insightful)
For some of the bargain basement certificate authorities this may be true however for the better known companies (Thawte and Verisign for instance) the opposite is sometimes true.
I work for an ecommerce company and the number of hoops we ha
Re:Revoke SSL cert? (Score:4, Interesting)
the solution is fixing the process by which people can get SSL certificates in the first place. There need to be more checks and balances. The current process is essentially; give us your money please, ok here's your certificate.. Enjoy!
How is any cert provider going to know that a phisher is going to use a cert for a similarly named website? If I go and buy the domain mountain-america.com, setup a website that looks like I'm going to sell vacations to the mountains on that URL, get my signed cert, then turn around the next day and make it look like the mtnamerica.org website, how is the cert issuer going to read my mind and know that?
No, the answer is that banks need to be issueing some kind of security device that does all the verification. I'm fairly certain all of this is technically possible via everyday encryption.
better link for this storey (Score:5, Informative)
Phollow the Phlopping Phish [sans.org]
Re:better link for this storey (Score:2)
Nice story and I gotta say it again ... (Score:4, Insightful)
They have your phone number.
They have your address.
They can send you a letter, they can call your phone. And their phishing rate would drop to almost zero.
Geez... (Score:4, Funny)
Also written up at SANS/ISC (Score:4, Interesting)
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
It's the banks fault... (Score:2)
The fatal flaw in the hypothetical course of action is trusting the non-standard domain name...but you can hardly blame Joe Sixpack for that one when so many financial institutions actually use one-off domains or partner sites. I was working on some phishing rules last year and counted something like 5 domains that Citibank used alone.
I think you're absolutely right. The natural inclination of a lot of Slashdot users is to blame the idiot users. To a small degree that's true, but largely I think the banks
The fatal flaw (Score:3, Interesting)
..Equifax.
I have nothing against Equifax, but I don't know them either. I don't know their policies, I don't know how they protect their signing key, and I don't know how they verify identities. Neither do you (well, ok, you know a little about their stated policies, because you RTFA). Neither does Joe Sixpack.
People are farming trust out to faceless strangers that they have never met. It's pretty insane when you think about it.
Who t
Err... (Score:2)
It's all a matter of time (Score:4, Insightful)
a) Give out their true information - name, address, etc, making for easier law enforcement tracking
b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.
Even still, Valid SSL certificates and whatnot don't mean shit against a true savvy user who knows better. Any user who actually reads the warnings by their banks/credit card companies/etc will know that said companies will never send emails asking for credit card information.
Re:It's all a matter of time (Score:2)
>b) Give out flase information - which may buy them some time, but will only cause the bite taken out of their ass by law enforcement to be that much bigger.
c) Locate their operations in a country where they can form an under$tanding with the police. (If they haven't already).
Assuming too much for signed SSL certs (Score:5, Insightful)
In essense signed certs are only supposed to protect from a man-in-the-middle attack, not someone being fooled into going to a similarly named website. Why shouldn't I be able to get a signed cert for mountain-america.net if I own it? There's plenty of similarly named legit businesses that all have certs issued to them.
Re: Assuming too much for signed SSL certs (Score:2)
Of course, the whole idea of phishing is to take advantage of the human tendency to
Re: Assuming too much for signed SSL certs (Score:2)
Of course, the whole idea of phishing is to take advantage of the human tendency to assume waaaay too much.
Oh I agree completely. It's just the article seems to assume there's something wrong with the SSL cert issuer, and I really see litle fault from them. The fault is with banks who're letting people do transactions across the internet without people being able to verify that the bank is who they say they are.
Re: Assuming too much for signed SSL certs (Score:2)
Really? I think they can be legitimately criticized for being willing to assist in lending an air of credibility to the scam by issuing certs to a site with no legitimate purposes at all, merely because the scuzzbags who run the site are willing to cut them a cheque.
Re: Assuming too much for signed SSL certs (Score:2)
So you would support having to share your business plan to get a cert, with certs costing thousands of $CUR just to pay for all of the investigation they would require? After all, in 15 minutes you could register mountain-america.net, set up a r
Re: Assuming too much for signed SSL certs (Score:2)
So you would support having to share your business plan to get a cert, with certs costing thousands of $CUR just to pay for all of the investigation they would require? After all, in 15 minutes you could register mountain-america.net, set up a really crappy (but no worse than many) looking coffee-shop website, and say that you were going to sell coffee over the internet.
Exactly. Certs have never implied a legitimate business, and really can't do that.
Re: Assuming too much for signed SSL certs (Score:2)
Cyber-Squatting lawsuit (Score:2)
If ever there was a good case for launching a cyber-squatting suit, I think this would be it.. I don't know who applied for mtnamerica.org, but mountain-america.net seems like a far better domain name. If you'd shown me both domain names, and I had no other infor, I would have guessed that mountain-america.net was the legitimate address.
Hopefully, this case would be a slam-dunk for the credit un
Re:Cyber-Squatting lawsuit (Score:3, Interesting)
I fear the day that commercial entities own the namespace of the internet, all for name recognition and protecting users from themselves. Trademark law worked great for localized commerce, but with global environments (like the internet), how can one guarantee and protect unique naming without out
Re:Assuming too much for signed SSL certs (Score:5, Insightful)
What would prevent this sort of scam is if people were told that any certificate your browser doesn't already have saved is suspicious, and shown what can be demonstrated about the certificate. If you have a prior relationship with this site, check that this string: (fingerprint of certificate) appears in the information you received. If not, decide whether you believe one of these organizations (signers of certificate, using PKI, based on certificates which come with the system) to make the operation you are doing today safe. In either case, choose a description of the site, which will be displayed when you return to this site in the future. Ideally, the user would be asked to choose whether they recognize the site before they are told more about the certificate, so they don't just look for a reasonable-looking signer.
That way, people click the link, get the real certificate for something that isn't their bank, and they notice that the window doesn't say "Secure connection to: My Bank" (if they've done this before), or notice that the fingerprint doesn't match the fingerprint on their bank statement, and then they know that, whoever this is, it's nobody they've got an existing business relationship with, and the claim about an existing account is clearly bogus.
(Last detail: the certificate with the fingerprint in question should be a self-generated CA certificate, not the actual SSL certificate in use, so the bank can change domain name while keeping the same saved info. The CA cert should be signed by the FDIC and other banking-related organizations, who wouldn't be tempted to possibly sign a sporting-goods store certificate, but that's only at all relevant to people trying to choose a bank online, because the instructions will clearly state that this is not the user's current bank.)
SSL Certs (Score:5, Informative)
1. Register the domain JFBVB.COM
2. On your own DNS servers create a record for EBAY.JFBVB.COM
3. Purchase a legit SSL certificate from RapidSSL [rapidssl.com] on that domain for $69
4. Create your phishing site
5. (Illegally) profit!
Many people think that an SSL certificate somehow guarantees a trustful vendor. On the contrary, it simply guarantees that no one will view the information en route. The vendor can do whatever he wants with the information you send.
Re:SSL Certs (Score:3, Informative)
This is the result of years of advertising by cert authorities, Verisign in particular.
Admittedly, Verisign used to make a much greater effort to verify their clients than GeoTrust or Thawte. (This may or may not have changed.) I remember having to provide Verisign with business IDs, wait a month for them to verify things, go back and forth with address corrections, etc.
These days you can have an SSL cert up and running in less
Re:SSL Certs (Score:2)
This is the result of years of advertising by cert authorities, Verisign in particular.
Exactly. When I first heard of signed certs, I assumed this too from all the marketing by Verisign. Foolish on my part in retrospect, but hey, SSL was new and what did I know?
This scheme won't work (Score:3, Informative)
Just call up and ask for the (finger|thumb)print! (Score:4, Funny)
Unfortunately, it looks like Geotrust lost this round, and it probably would be considered good practice to actually do that from time to time. For the truly paranoid, remove all root certificates, and only after verifying the thumbprint proceed to install that cert into your cache. No more trust hierarchy.
why is this a suprise? (Score:3, Insightful)
they're in it for the buck. why would they go that extra mile when it just cuts into their bottom line?
Digitally signed confession... (Score:5, Insightful)
You know, if that SSL certificate traces back to a valid human, then you can arrest him/her for phishing and they've provided all your evidence for you.
It's like leaving your digitally signed confession at the scene of the crime. No CSI team needed. Only the crooks know the corresponding private key.
If you can't trace that certificate it back to a valid human, than the CA needs to be beaten with a large stick.
Banks should protect the money, not us (Score:4, Interesting)
The phisher in the end shouldn't be able to get any money from this.
The banks should have in place a system that secures your money much better than this. It reminds me of the wild west where banks were robbed all the time.
Like, why do the retailers have to protect the banks? Why do they have to ask for ID when you already presented a valid banking card to them? Is this system insecure? Yes, and that's why they ask for ID. WTF?
People should consider this the same as a bank getting robbed over and over. If the banks got enough bad press from this then maybe they would do something about it.
But never forget, this is not money, it's currency backed by nothing of value and could become wortless in a day. People have been trying to tell you this for years, but you people won't read any simple banker history, it's too booring.
http://www.apfn.net/Doc-100_bankruptcy13.htm [apfn.net]
http://www.federal-reserve.net/ [federal-reserve.net]
http://www.converge.org.nz/pirm/fr_paul.htm [converge.org.nz]
http://batr.org/verity/id6.html [batr.org]
Tracking these people?? (Score:5, Insightful)
The SANS/ISC take... (Score:2)
Gotta hand it to these guys (Score:3, Funny)
To add to this craziness, the culprits behind these accomplishments, in this case certificate hacking of all things, are brilliant enough to get ultra-high paying jobs and hire a nude secretary [craigslist.org]. With this new age of cyber-terrorism threats, I gotta side with the pro-hacker mantras claiming that they help the world by exposing threats with mostly benign things like pbrushing a hitler mustache on Bush before the real bad guys, the ones who have similar high levels of expertise [though in bombs], figure out the holes. High five, 31337-speakers.
Always the same source (Score:2)
How does SSL prevent phishing? (Score:3, Informative)
All-or-nothing sucks (Score:3, Insightful)
But if they do that, then a whole bunch of certs immediately become untrusted, because those certs only have one signature: Equifax.
OpenPGP is better. In a world ruled by OpenPGP instead of X.509, people would go into their databases and set their "how much I trust Equifax" to a lower setting. Then if someone's identity was only certified by Equifax, they'd start to look iffy, but if someone has been certified by many CAs (in addition to Equifax), they'd still look ok.
Re:All-or-nothing sucks (Score:3, Insightful)
Phishers have been using SSL since 2004 (Score:4, Interesting)
How to stop it (Score:3, Insightful)
1.An address comming from a domain name owned by target (i.e. bank etc)
2.An address comming from a domain name that looks like its owned by the target (e.g. www.paypalsupport.com)
or 3.Something totally unrelated to the bank
If everyone (both the pishing targets and the email providers) implemented GOOD SPF record checking, it should stop point 1
Point 2 can be stopped by enforcing the trademark and forcing the domain name to be handed over to the trademark owner (who can then enforce SPF on it)
It wont stop all phishing scams (i.e. those that come from or something like that) but it will certainly help.
Unfortunatly, even the biggest phishing targets like amazon, ebay, paypal etc dont implement proper SPF records that say "These machines are the only machines to send email for this domain" (they implement a default "permit all" and not a default "deny all" unfortunatly)
Also, banks need to actually implement better security, if banks had decent security, phishing would be useless.
Here is a security model that would be very difficult for a phisher to defeat:
You open the webpage of your bank and go to the login page. The banks computers then calculate a random number and store it along with the IP address that made the request. The login webpage displays a box for the username, a box for the password and another box for a hash. You enter the random number the bank computer generated into a little calculator like device that contains another random number generated by the bank and stored in the banks computers as well as the device. Then, the device uses a hash algorithim (one designed so that there is no value of that will result in an output value of or that if one exists, it is different for each value of ) to combine the login page number and the stored number.
The result is entered into the login page along with the username and password.
The bank then pulls the secret device number from its database and checks that the hash matches. Also, if the IP address of the machine making the requests to the banks webpages doesnt match with the IP stored alongside the session ID, it will assume its fake and terminate.
Now, when you want to transfer money to someone not on your "approved payee" list or add someone to your "approved payee" list, you get another random hash which you have to enter into the little calculator. To prevent the phisher from simply tricking you into typing this second hash in (i.e. transfering all your money to them instead of transfering the amount you wanted to transfer to who you wanted to transfer it to), you would have to enter the amount being transfered into the calculator device too with it being used as part of the hash.
Anyone who is dumb enough to press "Funds Transfer" then then doesnt deserve to be using a computer, much less the internet.
A big education campaign by the banks would help too For example, include a phamphlet with the next bank statement or other junk mail that gives a clear warning about phishing scams and to never ever trust any email pretending to be from the bank no matter what. Also it would tell you to change your password or contact your bank if you think you have been hacked or phished.
If the phamphlet said in big bold letters something like "Warning: Your money could be at risk from hackers, read this to find out how to prevent it" and was sent out to every bank customer (or every bank customer with online banking enabled on their account), people would probobly read it.
Removing the broken CA from Firefox 1.5 (Score:3, Informative)
- Open the preferences and go to "Advanced".
- Then click on "Security".
- Push the certificates button and then choose the "authorities" tab.
- Find equifax.
- Select all those entries.
- Push "edit", uncheck the checkboxes for each certificate.
Done, you no longer trust these folks.Geotrust hasn't revoked the phisher's cert yet (Score:5, Insightful)
Let's quote what Geotrust says about relying on certificates: [financialc...graphy.com]
GeoTrust's solution is that the browser should display ...
"The name and logo of the CA who issued the certificate. Consumers will soon learn from news reports which CAs to trust and which CAs use sloppy procedures and should not be trusted."
We should take Geotrust at their word. Now that we're certain that their procedures are sloppy and they can't be trusted, their certs should be pulled from all browers. New releases of Firefox should not contain root certs for Geotrust. They had their chance, and they blew it.
Netcraft Toolbar (Score:3, Informative)
All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...
Looking at some of the domain registration info [netcraft.com], it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...
Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...
Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)
eBay Phishing Received This Weekend (Screenshots) (Score:3, Interesting)
Re:I SAW THIS ON DIGG DAYS AGO (Score:2)
Re:I SAW THIS ON DIGG DAYS AGO (Score:2)
Re:I SAW THIS ON DIGG DAYS AGO (Score:2)
you must be new here.