Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > drowning the phish

Reply
Thread Tools

drowning the phish

 
 
anthonyberet
Guest
Posts: n/a
 
      06-11-2005
Very simple and interestig idea here:
http://www.pbs.org/cringely/pulpit/pulpit20050602.html

Full text :

The Best Way to Stop These Scams Is by Drowning the Phish

By Robert X. Cringely

I was interviewed for a few seconds this week on CNN as part of their
25th birthday celebration for the network. My qualification for being
interviewed appears to be the fact that I was alive in 1980 and remember
fleeting patches of it. A camera crew came to our house to shoot the
interview, and my son Channing, who was minus 22 in 1980, was very
impressed -- so impressed that he proposed that he, rather than me, be
interviewed. He had something to say to America.

"Help me!" he told the camera.

Channing isn't the only one who needs help. I wondered last week why we
never hear of criminals being convicted of phishing -- inducing us to go
to bogus web sites and give over enough financial details to loot our
bank accounts or steal our identities. Well, I was wrong, it turns out:
A phisher was convicted last year in Texas and another was convicted in
2003 in Virginia.

Feel safer now?

Here is a crime that touches every person who reads this column, yet we
can find only TWO convictions? That qualifies phishing as a growth industry.

Phishing is something I don't think can be left to the professionals.
PayPal, eBay, your bank and mine don't really have the ability to stop
this crime, so that leaves it up to the victims to do something to stop
it. That's us, baby.

Talking with some professional phish-hunters, it looks like the general
trend to solving this problem will be through the simple expedient of
eliminating e-mail entirely from our relationships with these
organizations. Of course, this has the equal effect of drawing us
tighter into our commercial relationships. If I'm comfortable with eBay,
for example, because eBay moves all its communications off e-mail, well
then I'll be less likely to do business with another auction site.
Clever, eh? Here's how it was described to me by a cyber law enforcement
person:

"What does eBay do, exactly? The company does what any corporation does:
passes on all the information to relevant legal authorities. What more
can eBay do? They rely on the law to take action, just as you do if you
are ever a victim of a crime, which I hope never happens to you."

"The trouble is, people expect eBay Customer Support to slap on a badge,
go to the guy's house in the US, and arrest the bad guy. People are very
poorly educated about spoof messages, on average, and much less educated
on proxy servers, IP masking, hijacked websites and how it is that the
guy they thought was in Chicago is actually in Russia, Romania, Italy,
the UK, Indonesia, Nigeria, whatever."

"The solution is not what (Max Levchin) mentioned, the solution for
corporations is to move messaging off email and onto an internal system.
eBay has My Messages to do this. By moving messages off of email, it
becomes much harder for scammers to do what is otherwise an easy task
because email is inherently insecure: send spoof messages."

"The second part of the solution is mass education by corporations, and
word-of-mouth, once those internal messaging systems are in place.
People sign into their accounts and get their priority messages. The
only email they need to receive, then, is a plain-text email with no
links that instructs them to sign onto any given account and check their
messages on that company's trusted website."

"This solution is much more effective than relying on members/users to
report spoof websites. It is not enough for companies to rely on
customers to report spoofing activity, companies have to introduce a new
paradigm that is spoof-resistant."

Well, maybe.

I'm not so impressed by professional law enforcement. While they may do
a fair job of deterring and minimizing endemic physical crimes, there
are severe problems with this law enforcement model when applied to the
Internet. There is the simple matter of numbers: The bad guys outnumber
the cybercops by probably 1,000-to-1. Law enforcement also is, by
definition, reactive and that reaction can be a LONG time in coming. The
cops' loyalty is toward society rather than the individual, so
retrieving MY lost stuff or identity is less important than discouraging
criminals from doing further damage to others. And, finally, law
enforcement relies on crime and criminals for its very existence, which
sure looks like a symbiotic relationship to me. No wonder they don't
enlist our help in any truly constructive way.

Of course, there has to be a better answer to this problem, and five
readers in the past week have suggested it. Forget Max Levchin's idea of
using bounties. But let's embrace what was at the essence of Max's idea,
which is enlisting millions of Internet users in the cause.

If the bad guys out-number the cops by 1,000-to-1, Internet users must
outnumber the bad guys by 100,000-to-1 or more.

Fear of punishment won't deter phishing, yet that's all traditional law
enforcement has to offer. It's fear of UNPROFITABILITY that will finally
work.

The simple way to kill phishing is by making it harder for the phisher
to make money from it. Right now, a phisher sends out a million e-mails
and gets back 100 replies that yield positive data. There is almost no
effort involved in sending out the e-mails after the first one, and the
quality of the return data is very high. No wonder this is such a
popular business!

Let's change that. If you get phishing e-mail, go the web sites and
enter false data. Make up everything -- name, sign-on name, password,
credit card numbers, everything. Instead of one million messages
yielding 100 good replies, now the phisher will have one million
messages yielding 100,000 replies of which 100 are good, but WHICH 100?

This technique kills phishing two ways. It certainly increases the
phishing labor requirement by about 10,000X. But even more importantly,
if banks and e-commerce sites limit the number of failed sign-on
attempts from a single IP address to, say, 10 per day, theft as an
outcome of phishing becomes close to impossible.

No bounties are required, no cops, no parallel webmail systems that
force us to log-in to e-commerce sites when they tell us to. Phishing
just becomes a very unprofitable business, which it should be.

Are you in?
 
Reply With Quote
 
 
 
 
=?ISO-8859-1?Q?R=F4g=EAr?=
Guest
Posts: n/a
 
      06-11-2005
anthonyberet wrote:

> Are you in?


So I'm to sit down and spend my time filling out false information on
forms day in and day out to cover up the phishers with bad data? It's
pure wishful thinking that a million internet users are going to band
together and put the phishers out of business.
 
Reply With Quote
 
 
 
 
cnw
Guest
Posts: n/a
 
      06-11-2005
begin anthonyberet <(E-Mail Removed)> wrote:

> Very simple and interestig idea here:
> http://www.pbs.org/cringely/pulpit/pulpit20050602.html
>
> Full text :

[snip]

> Let's change that. If you get phishing e-mail, go the web sites and
> enter false data. Make up everything -- name, sign-on name, password,
> credit card numbers, everything. Instead of one million messages
> yielding 100 good replies, now the phisher will have one million
> messages yielding 100,000 replies of which 100 are good, but WHICH 100?
>
> This technique kills phishing two ways. It certainly increases the
> phishing labor requirement by about 10,000X. But even more importantly,
> if banks and e-commerce sites limit the number of failed sign-on
> attempts from a single IP address to, say, 10 per day, theft as an
> outcome of phishing becomes close to impossible.


I agree it would be good to provide false data to these criminals. Hell, I
get enough of this **** in my mailbox to kind of like the idea.

However, this approach suffers from at least two flaws that I can think of.
Firstly, credit card numbers have check digits acting as a simple form of
validation. If this form of revenge started to become widespread, all the
scammers would have to do would be to use this validation check (if they
don't already), and discard all non-validated numbers.

The answer here would be to only provide validated numbers. This is
possible, of course, but hardly likely to happen. Most people would find it
far easier to simply delete the mail.

Which brings me to the second flaw, already mentioned elsewhere in this
thread: People will simply not be bothered to enter all this information,
particularly for each and every one of these messages. Now if this part of
the process could be automated...

For now I think I'll continue to report this junk by forwarding the messages
(including headers) to spoof <at> ebay.com or spoof <at> paypal.com, etc.

Neil.
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
 
Reply With Quote
 
Joel Rubin
Guest
Posts: n/a
 
      06-11-2005
On Sat, 11 Jun 2005 19:59:15 +0100, cnw <(E-Mail Removed)> wrote:

>However, this approach suffers from at least two flaws that I can think of.
>Firstly, credit card numbers have check digits acting as a simple form of
>validation. If this form of revenge started to become widespread, all the
>scammers would have to do would be to use this validation check (if they
>don't already), and discard all non-validated numbers.


It's easy enough to get the checksum to work if you want. There are
plenty of number checkers around and if you have a bad checksum just
change one of the numbers that is only counted once to fix it.
(Checksums involve adding in alternate digits once and twice.)

of course, you could try posting gobs of sh*t to the form page. In
most cases, the form page doesn't do any checking and emails to a web
account. I guess this is a bit like mailbombing 419ers except that you
don't know the address unless the website is badly configured.

What would be really nice would be to post trojan credit card numbers.
(Credit card numbers which are on some sort of police watch list.)
Maybe some of the credit card companies and or banks could start doing
this.




 
Reply With Quote
 
dwacon
Guest
Posts: n/a
 
      06-12-2005

"anthonyberet" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> No bounties are required, no cops, no parallel webmail systems that force
> us to log-in to e-commerce sites when they tell us to. Phishing just
> becomes a very unprofitable business, which it should be.
>
> Are you in?



I think we should pull the troops from Iraq and have them go to the front
door of spammers and phishers and blast them with no fewer than 250 rounds
of high caliber ordinance.

Then confiscate all of their goods... their house (minus the parts with
bullet holes)... their car... their jewlery... their bank accounts.
Basically, what the DEA does to drug dealers. Take everything and put it in
a fund and use it to fund something socially conscious... like having
Haliburton provide lunches to underprivileged school kids...



--
Give Dad the BEST Father's Day Ever!
http://www.dwacon.com/holidays/fathers_day.html




---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 0523-8, 06/11/2005
Tested on: 6/11/2005 8:30:42 PM
avast! - copyright (c) 1988-2005 ALWIL Software.
http://www.avast.com



 
Reply With Quote
 
joevan
Guest
Posts: n/a
 
      06-12-2005
On Sat, 11 Jun 2005 20:30:38 -0400, "dwacon"
<(E-Mail Removed)> wrote:

>I think we should pull the troops from Iraq and have them go to the front
>door of spammers and phishers and blast them with no fewer than 250 rounds
>of high caliber ordinance.
>
>Then confiscate all of their goods... their house (minus the parts with
>bullet holes)... their car... their jewlery... their bank accounts.
>Basically, what the DEA does to drug dealers. Take everything and put it in
>a fund and use it to fund something socially conscious... like having
>Haliburton provide lunches to underprivileged school kids...

I like that, pull it off and you can be the next president.
I'll vote for you anyway.

--
"Politicians are like diapers. They should both be changed frequently
and for the same reason."
 
Reply With Quote
 
Robert de Brus
Guest
Posts: n/a
 
      06-12-2005
X-No-Archive: Yes

In news:(E-Mail Removed),
Rgr <(E-Mail Removed)> typed
|| anthonyberet wrote:
||
||| Are you in?
||
|| So I'm to sit down and spend my time filling out false information on
|| forms day in and day out to cover up the phishers with bad data? It's
|| pure wishful thinking that a million internet users are going to band
|| together and put the phishers out of business.

Not to mention all the extra useless packets of crap floating around,
slowing my internet connection, clogging up my ISP's mail server, etc.

The easiest way to not get caught by phishing exercises it to realise that
financial institutions simply don't request this information via email.


 
Reply With Quote
 
Blinky the Shark
Guest
Posts: n/a
 
      06-12-2005
dwacon wrote:

> I think we should pull the troops from Iraq and have them go to the front
> door of spammers and phishers and blast them with no fewer than 250 rounds
> of high caliber ordinance.


High caliber ordinance -- that's a large law, right?

--
Blinky Linux Registered User 297263
Killing all Usenet posts from Google Groups
Info: http://blinkynet.net/comp/uip5.html
*ALSO contains links for access to the NON-BETA GG archive interface*
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Drowning in photos Hans Kruse Digital Photography 23 07-18-2008 12:09 PM
Re: Drowning in photos jmeehan@columbus.rr.com Digital Photography 3 07-17-2008 09:49 PM
Resusitate a drowning cat =?ISO-8859-1?Q?R=F4g=EAr?= Computer Support 11 09-30-2005 02:03 PM
Help! Newbie drowning in arty-fartiness! MikeyMuchos@gmail.com HTML 4 03-15-2005 08:51 PM
Drowning in 'access-list logging rate-limited or missed 1 packet' entries Joe Filla Cisco 0 12-04-2003 01:53 AM



Advertisments