Click the comments link on any story to see comments or add your own.
Subscribe to this blog
12 Jun 2005
For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. Early bank phishes were pretty clumsy, but the crooks have gotten better at it and current phishes can look very authentic. See this archive of recent phishes at antiphishing.org for some examples.
A very common trick is the fake link, in which the link you think you're clicking on isn't the one you're really clicking on, like this:
The link looks like it's to bigbank.com, but really it's to a fake web site at badguy.com.
Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in its are to its own domain, e.g., if the sender is bigbank.com, all of the links have to be to bigbank.com or maybe www.bigbank.com. Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. Signature schemes wouldn't need any changes other than for the software that signs the mail to check the mail first and not sign it if it contains nasty stuff.
The hardest part of implementing this is for the banks to adjust the way that they send their mail. I get a fair amount of bank mail, notices that a credit card bill is available, confirming that I've made a change to an account, or that a deposit account has gone above or below a specifed amount. Remarkably few of those messages come from anywhere you might recognize. More often than not they come from a service bureau that handles the function for the bank, not from the bank itself. (I passed some of these messages around to experience spam-fighting friends, most of whom couldn't tell whether they were real. I'll post some of them here shortly.)
So the question is, is it worth the effort to make all of the senders and URLs match up? At this point, my feeling is probably not. If we're going to use message signatures, it doesn't matter what's in the message so long as you trust the signer.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.