Internet and e-mail policy and practice
including Notes on Internet E-mail


2012
Months
Feb

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Internet


07 Feb 2012

Phish or Fair? Internet

It shouldn't be a big surprise to hear that phishing is a big problem for banks. Criminals send email pretending to be a bank, and set up web sites that look a lot like a bank. One reason that phishing is possible is that e-mail has no built in security, so that if a mail message comes in purporting to be from, say, accounts@bankofamerica.com, there's no easy way to tell whether the message is really from bankofamerica.com, or from a crook. Mail authentication schemes like DKIM and the new dmarc.org group use cryptographic signatures to help authenticate mail and prove that it really is from who it purports to be from. So, if the mail can authenticate the sender, the phishing problem goes away, right?

Unfortunately not. One huge problem is that even if you have all the crypto stuff so you can be 100% sure that a message really is from, say, BANK-AMERICA.COM, you don't know whether BANK-AMERICA.COM is actually your bank or not.

I've made a little game called Phish or Fair. It shows you a domain name, you guess whether it belongs to Bank of America. Try it out and see how you do.

Then see if you can figure out why a bank would use over a thousand different domains. My example here is Bank of America, but they're no worse than other big banks; I picked them because their name is easy to search for.

If banks were serious about phishing, they'd pick one name, one domain, and use that consistently. But they don't.

PS: BANK-AMERICA.COM belongs to some guy in France.


posted at: 02:36 :: permanent link to this entry :: 1 comments
posted at: 02:36 :: permanent link to this entry :: 1 comments

comments...        (Jump to the end to add your own comment)

2012 Christian Louboutin
That is why more and more style-savvy women have chosen the kind of shoes http://www.vougeredbottomshoes.com/ red sole shoes .

(by Christian Louboutin 24 May 2012 08:04)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
5 days ago

A keen grasp of the obvious
Italian Apple Cake
563 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.