Click the comments link on any story to see comments or add your own.
Subscribe to this blog
05 Jun 2009
Phishing, the theft of personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites.
In the physical world, banks have marble counters, vaults with heavy steel doors, and other physical objects that are hard to fake. A building that looks like a bank probably is a bank. But on the internet, any random $2/month web host or botted PC can host a web site that looks exactly like a real bank's web site, and can send spam that looks exactly like a real bank's e-mail. Given that the number of phishers and botted PCs greatly exceeds the number of real banks, it's not surprising that the bad stuff pops up faster than we can swat it.
For the past two years, web browsers have supported "green bar" SSL certificates, which are in effect an assertion by whoever sold the SSL certificate that they have verified that certificate holder really is who they say they are. (This increased level of scrutiny is actually about the same as all certificate vendors originally required, but that horse left the barn some time ago.) If we can train users to look for a green bar and distrust web sites without them, it might help them avoid being phished. In effect the green bar is a brand for a legitimate web site.
The green bar is only practical because there is a cartel of SSL vendors who all agreed to add green bar certs with the same rules and approximately the same price. What can we do where there isn't a cartel, like e-mail?
My advice would be to allow multiple brands. As a concrete example, Vouch by Reference (RFC 5518) provides a way for an organization to list the domains whose signed mail they certify. The current version of VBR only describes the way to determine whether a message is certified, but it would not be hard to extend it so that each certifying organization could publish a logo image that a mail program could display in a hard-to-forge way, e.g., in a reserved part of the mail window. Since the VBR info is displayed by the mail program, not part of the message, it should be possible to make it impactical for bad guys to fake.
Our standard example is that the FDIC, the government agency that insures banks in the US, could publish VBR records for the domains of of its member banks. Then if the banks sign their mail and use VBR, a mail program that checked the FDIC's VBR list could display the familiar FDIC logo when the message appears. Other phish targets could similarly band together to have a trade association or regulator vouch for them. Just as web browsers come configured with a modest sized list of trustworthy green bar signers, mail programs would need a list of credible VBR certifiers, but the extra level of grouping that VBR provides would make the list manageable, e.g., one entry for all the banks in each country, rather than one entry per bank.
To make this effective, consumers will also need to remember to look for the logo, but brand marketing is a standard business practice, particularly when it can piggyback on a brand like the FDIC's that's already well known in the offline world.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.