Phishing and BGP Blackholing

Florian Weimer fw at
Wed Jan 3 14:35:30 UTC 2007

* Neil J. McRae:

> I didn't see the original post but the topic came
> up in 2005 here in the UK as the banks here wanted to
> use BGP filtering in the same light. The LINX prepared
> a paper on the issues with BGP blackholing and recommended
> that if the banks want to trade on the Internet that
> they should introduce authentication systems that are fit
> for purpose (SecureID for example (many banks had already
> done this)).

Banks have deployed much more secure systems than SecureID, and there
have been successful attacks against them.

SecureID might be helpful if you want to differentiate your product
between automatic and manual use, but it doesn't do anything to
authenticate the party you are relaying information to.  But it's
useless in a phishing context.  If you want a token solution, at least
use something that factors in transaction-related data.

More information about the NANOG mailing list