Dear RIPE: Please don't encourage phishing

Vinny Abello vinny at abellohome.net
Sun Feb 12 19:49:12 UTC 2012


On 2/12/2012 1:19 PM, Rich Kulawiec wrote:
> On Sun, Feb 12, 2012 at 04:44:13AM -0500, Vinny Abello wrote:
>> All recent email clients I've come across give you anti-phishing 
>> warnings in one way or another if the URL does not match the
>> actual link.
> 
> Which is great, but doesn't help you if the URL and the link are:
> 
> http://firstnationalbank.example.com
> 
> because a significant number of users will only see
> "firstnationalbank" and ".com".
> 
> That's why I recommend that banks et.al. don't put *any* URLs in
> their messages.  If they make this an explicit policy and pound it
> into the heads of their customers that ANY message containing a URL
> is not from them, and that they should always use their bookmarks
> to get to the bank's site, then they're training their customers to
> be phish-resistant.

Yes, very true. I unfortunately see average people fall for these
types of things all the time. Ultimately, the issue is getting the end
user educated. However, I've also seen users get a message drilled
into their heads for 10 years that an email admin will never ask for
their passwords, yet they eagerly give them away to some random
scammer that says they need their password or their account will be
shut off, signed by "the email team"... and suddenly their email
account is spewing spam from random IP addresses all over the net.
<sigh> The weakest link is ultimately the person behind the device.
We're attempting to make technology fix stupid, which is often harder
for the people designing the technology. They would never think
sticking their hand down a garbage disposal is a good idea, but there
are people out there that do this. :( Likewise, a person wouldn't
click on a link if it's blatantly obvious the link doesn't point to
the real web site, right? :) Obviously no. To be very effective,
security design needs to assume the biggest threat to the security of
anything is the person on the good side of the fence who will open the
gate.

Lately, I get calls on a weekly basis from people trying to steal my
credit card from me. If I have time I like to have fun with them,
eating up their time so they have less of it to scam people who don't
know any better. (Look on Youtube for people doing this. It's
hilarious). These scammers have been around for at least 5 years or
longer and nobody has yet fixed this problem, which is also
astounding. As a result, customers who don't recognize the scam get
their credit card whacked with random charges because they didn't
think anything was wrong with giving away their credit card info and
social security number to a random stranger who calls them and claims
to be able to lower their interest rate. So at the same time making
people aware the real emails will not contain links, banks should be
doing a better job telling people not to give away their credit card
info to anyone in a situation similar to this. It should be better
handled by all banks and companies in genereal as a global security
education process. I don't believe it should be limited just to email
or Internet related usage of the bank or company's resources.

I'm probably not giving people enough credit, but social engineering
is likely the most effective hacking technique that exists because it
targets the weakest link and often works. That's currently the easiest
thing to target because security has improved so much over the years
on the technological end. I'm not sure about others, but the most
prevalent security threats I see today are vastly different than the
ones from ten to fifteen years prior.

-Vinny




More information about the NANOG mailing list