Phishing Steals Spotlight at MIT Spam Conference

Hi Ronjor-

I used to laugh at the stuff people fall for. Scams, phishing, for god's sake the old classic shell game - I'm serious: One early morning in front of a 7-11 a man with a big roll of cash show me how he had some little ball under one of three cups and why don't I bet some money that I can say which one. It looked so easy. Then I looked at the roll of money and said, you didn't get that by loosing a whole lot, and quickly departed.

Now I have to admit...I don't know anymore. I've taken tests where I was supposed to identify the legit or other. I did not do very well.

Now for three times, ebay has sent me emails that i should do something to confirm my password change. I would say thats stupid because they already have it, but it does seem to go to their site. So I ask myself why. All I can come up with is that this is for some unimportant feature I allegedly signed up for (token display updating - or some dumb thing I have no use for). Sure I signed up for it---in that it was probably there with 6 pages of services that were being provided. Obviously if they check they know I dont use it. If I do use it they can update with my password since they have it.

No, they just want to suck me in to a site were I will get more loosing propositions thrown at me. But....what they don't realize is that they are contributing to the lack of trust that they probably complain about not having.

It's no wonder I don't trust them. They ask me for a password they already have so they can update a service I don't use. Drop the slimeball tricks, and present clear, straighforward communications which call for responses only when they are needed would help, don't you think?

I have less than no sympathy for financial institutions. They are courting desaster and the day will come.

-HandsOff

P.S. - aside from the rant, you'd think it would be possible for one computer to confirm its identity to another, wouldn't you? Really, what are we waiting for? If they are able to come up with a way to send me a plastic card and a PIN for it, which would enable the holder to get untold fantastic amounts of cash from atms, why cant they deliver an encrytion key, or something the same (or better) way?

 

As long as people keep clicking on everything they see appear on their computer this problem won't go away, and no technical solution can prevent this.

It maybe possible to sniff these scamsites out but who is going to take them down when the servers are located in some obscure country where you don't have any jurisdiction?

regards
Lamehand

 

Lamehand-

Since that is never going to change, I think the only possible approach is for institutions to establish better procedures. Is anyone trying to say that it can't be done? Am I supposed to feel bad for an industry because the average user has a average level of competancy? What do they expect?


-HandsOff

 

Email has always been insecure and businesses have typically added monster disclaimers to make the point. However the linked article above does make one disputable statement - spam filters should be able to detect phishing quite easily (once trained) since such emails increasingly rely on HTML/Javascript tricks to hide their actual URLs. These techniques are also appearing in mainstream spam - presumably by spammers wishing to avoid ne'er do wells hitting their sites with SpamVampire...

Also the article fails to mention Antiphishing.org which provides a wealth of information as well as tracking current phishing attempts - begging the question of how much research was put into it.

 

Apropos of "internet fatigue".
There seems to be an interesting swing back towards print media in Oz.

Despite big advertising push to the web for online classifieds and sales etc, the most favoured classified ads provider in print media in Australia, the Sydney Morning Herald, has experienced a huge swing up in sales in the last survey.

Some pundits here have suggested that many users of these classified services which are available on-line, are reluctant to get targeted by scammers if they use the web based services.

What's easier for us here: Get a good computer, learn how, get internet access pay up to 4x more for 1/4 speed than services in other countries, get hundreds of spammers, get ripped off on e-bay scams, get protected, learn again from ground up after malware attack and porn-popups, have h'ware or software pfaff-up, spend $$$ and hours: :

OR

go and buy a paper have a nice coffee and a couple of ciggies on Satiday morning after dumping the tin lids ( i mean arranging responsible care ), browse without fear and make a few phone calls.

??

LOL. Guess it depends on how you sell it!
I'll probably never be invited to speak at MIT !!

 

Well, I dragged my feet for quite some time before installing T-Bird with its built in spam filter. I was enthusiastic when at first I would get the message saying "...thinks this is spam", "...thinks this could be a phishing scam". Well now, days and weeks later, Not Once, has it ever said this about something that was spam! Still, I am probably getting less spam, so perhaps it only asks on the very borderline cases. Even so...

I share your doubts about the research...or possibly the researcher. I had hoped to see some "news I could use". I've always assumed that it would not be that hard for financial institutions to authenticate there messages. I think I hinted at why not bite the bullet and establish dual key encryption, possibly with keys physically delivered. (not knowing much about it, and knowing that our so-called secured connections aren't that secure, I am even reluctant to consider traffic to my server to be secure). I'd rather take a few extra steps than find out later I should have.


-HandsOff