Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

05 Jun 2009

Fight phishing with branding Email

Phishing, the theft of personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites.

In the physical world, banks have marble counters, vaults with heavy steel doors, and other physical objects that are hard to fake. A building that looks like a bank probably is a bank. But on the internet, any random $2/month web host or botted PC can host a web site that looks exactly like a real bank's web site, and can send spam that looks exactly like a real bank's e-mail. Given that the number of phishers and botted PCs greatly exceeds the number of real banks, it's not surprising that the bad stuff pops up faster than we can swat it.

For the past two years, web browsers have supported "green bar" SSL certificates, which are in effect an assertion by whoever sold the SSL certificate that they have verified that certificate holder really is who they say they are. (This increased level of scrutiny is actually about the same as all certificate vendors originally required, but that horse left the barn some time ago.) If we can train users to look for a green bar and distrust web sites without them, it might help them avoid being phished. In effect the green bar is a brand for a legitimate web site.

The green bar is only practical because there is a cartel of SSL vendors who all agreed to add green bar certs with the same rules and approximately the same price. What can we do where there isn't a cartel, like e-mail?

My advice would be to allow multiple brands. As a concrete example, Vouch by Reference (RFC 5518) provides a way for an organization to list the domains whose signed mail they certify. The current version of VBR only describes the way to determine whether a message is certified, but it would not be hard to extend it so that each certifying organization could publish a logo image that a mail program could display in a hard-to-forge way, e.g., in a reserved part of the mail window. Since the VBR info is displayed by the mail program, not part of the message, it should be possible to make it impactical for bad guys to fake.

Our standard example is that the FDIC, the government agency that insures banks in the US, could publish VBR records for the domains of of its member banks. Then if the banks sign their mail and use VBR, a mail program that checked the FDIC's VBR list could display the familiar FDIC logo when the message appears. Other phish targets could similarly band together to have a trade association or regulator vouch for them. Just as web browsers come configured with a modest sized list of trustworthy green bar signers, mail programs would need a list of credible VBR certifiers, but the extra level of grouping that VBR provides would make the list manageable, e.g., one entry for all the banks in each country, rather than one entry per bank.

To make this effective, consumers will also need to remember to look for the logo, but brand marketing is a standard business practice, particularly when it can piggyback on a brand like the FDIC's that's already well known in the offline world.

posted at: 08:10 :: permanent link to this entry :: 3 comments
posted at: 08:10 :: permanent link to this entry :: 3 comments

comments...        (Jump to the end to add your own comment)

How does the user tell the difference between fake branding and legitimate branding? The Visa and Mastercard extra verification schemes are essentially based on extra branding = extra assurance. However they use techniques like iframes that make the extra verification forms indistinguishable from phishing attacks. In particular they bypass the browser's secure UI features such as the green URL bar.

(by Tony Finch 04 Jun 2009 22:03)

In line vs. out of line
The Visa and MC schemes are retrofitted into web sites rather into the application and you're right, they're still easy to spoof. The point of using VBR is that it depends on information outside the message, and the logo is displayed by the MUA outside the message.

(by John Levine 05 Jun 2009 04:43)

Goodmail killer?
If this took off, it would seem to render Goodmail's present business model obsolete.

(by Steve Webster 05 Jun 2009 11:31)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Remembering JD Falk - 10 years later
223 days ago

A keen grasp of the obvious
New Hope for the Dead
465 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.