Phishing (Was Re: WashingtonPost computer security stories)

• Previous message (by thread): Phishing (Was Re: WashingtonPost computer security stories)
• Next message (by thread): Phishing (Was Re: WashingtonPost computer security stories)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I'm thinking that Citibank will cease to be a target if they give (ok,
> it's a bank - sell) their subscribers a hardware token that requires
> presence of the ATM card when the customer wants to use online banking
> facilities... as several banks here in the Netherlands do.

This is a social engineering attack.  As long as you can convince the user
to cooperate, you can subvert technological counter-measures.  When you
add the ability to subvert the communication device (computer, telephone,
etc) it gets even more interesting.  The scam may even occur in multiple
parts using different forms of communication (email, web, fax, phone,
mail) for different parts of the scam.

Yes, it is possible to subvert smartcards, one-time hardware tokens
(securid), biometrics, etc.  They are not just academic attacks,
they have been successfully attacked in the wild.  Brute force isn't
needed when you can subvert other parts of the system, which includes
the human.

Scams also use other mediums.  Here is an example:
http://www.fincen.gov/stoporder.pdf

• Previous message (by thread): Phishing (Was Re: WashingtonPost computer security stories)
• Next message (by thread): Phishing (Was Re: WashingtonPost computer security stories)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]