drowning the phish

Discussion in 'Computer Support' started by anthonyberet, Jun 11, 2005.

  1. anthonyberet

    anthonyberet Guest

    Very simple and interestig idea here:
    http://www.pbs.org/cringely/pulpit/pulpit20050602.html

    Full text :

    The Best Way to Stop These Scams Is by Drowning the Phish

    By Robert X. Cringely

    I was interviewed for a few seconds this week on CNN as part of their
    25th birthday celebration for the network. My qualification for being
    interviewed appears to be the fact that I was alive in 1980 and remember
    fleeting patches of it. A camera crew came to our house to shoot the
    interview, and my son Channing, who was minus 22 in 1980, was very
    impressed -- so impressed that he proposed that he, rather than me, be
    interviewed. He had something to say to America.

    "Help me!" he told the camera.

    Channing isn't the only one who needs help. I wondered last week why we
    never hear of criminals being convicted of phishing -- inducing us to go
    to bogus web sites and give over enough financial details to loot our
    bank accounts or steal our identities. Well, I was wrong, it turns out:
    A phisher was convicted last year in Texas and another was convicted in
    2003 in Virginia.

    Feel safer now?

    Here is a crime that touches every person who reads this column, yet we
    can find only TWO convictions? That qualifies phishing as a growth industry.

    Phishing is something I don't think can be left to the professionals.
    PayPal, eBay, your bank and mine don't really have the ability to stop
    this crime, so that leaves it up to the victims to do something to stop
    it. That's us, baby.

    Talking with some professional phish-hunters, it looks like the general
    trend to solving this problem will be through the simple expedient of
    eliminating e-mail entirely from our relationships with these
    organizations. Of course, this has the equal effect of drawing us
    tighter into our commercial relationships. If I'm comfortable with eBay,
    for example, because eBay moves all its communications off e-mail, well
    then I'll be less likely to do business with another auction site.
    Clever, eh? Here's how it was described to me by a cyber law enforcement
    person:

    "What does eBay do, exactly? The company does what any corporation does:
    passes on all the information to relevant legal authorities. What more
    can eBay do? They rely on the law to take action, just as you do if you
    are ever a victim of a crime, which I hope never happens to you."

    "The trouble is, people expect eBay Customer Support to slap on a badge,
    go to the guy's house in the US, and arrest the bad guy. People are very
    poorly educated about spoof messages, on average, and much less educated
    on proxy servers, IP masking, hijacked websites and how it is that the
    guy they thought was in Chicago is actually in Russia, Romania, Italy,
    the UK, Indonesia, Nigeria, whatever."

    "The solution is not what (Max Levchin) mentioned, the solution for
    corporations is to move messaging off email and onto an internal system.
    eBay has My Messages to do this. By moving messages off of email, it
    becomes much harder for scammers to do what is otherwise an easy task
    because email is inherently insecure: send spoof messages."

    "The second part of the solution is mass education by corporations, and
    word-of-mouth, once those internal messaging systems are in place.
    People sign into their accounts and get their priority messages. The
    only email they need to receive, then, is a plain-text email with no
    links that instructs them to sign onto any given account and check their
    messages on that company's trusted website."

    "This solution is much more effective than relying on members/users to
    report spoof websites. It is not enough for companies to rely on
    customers to report spoofing activity, companies have to introduce a new
    paradigm that is spoof-resistant."

    Well, maybe.

    I'm not so impressed by professional law enforcement. While they may do
    a fair job of deterring and minimizing endemic physical crimes, there
    are severe problems with this law enforcement model when applied to the
    Internet. There is the simple matter of numbers: The bad guys outnumber
    the cybercops by probably 1,000-to-1. Law enforcement also is, by
    definition, reactive and that reaction can be a LONG time in coming. The
    cops' loyalty is toward society rather than the individual, so
    retrieving MY lost stuff or identity is less important than discouraging
    criminals from doing further damage to others. And, finally, law
    enforcement relies on crime and criminals for its very existence, which
    sure looks like a symbiotic relationship to me. No wonder they don't
    enlist our help in any truly constructive way.

    Of course, there has to be a better answer to this problem, and five
    readers in the past week have suggested it. Forget Max Levchin's idea of
    using bounties. But let's embrace what was at the essence of Max's idea,
    which is enlisting millions of Internet users in the cause.

    If the bad guys out-number the cops by 1,000-to-1, Internet users must
    outnumber the bad guys by 100,000-to-1 or more.

    Fear of punishment won't deter phishing, yet that's all traditional law
    enforcement has to offer. It's fear of UNPROFITABILITY that will finally
    work.

    The simple way to kill phishing is by making it harder for the phisher
    to make money from it. Right now, a phisher sends out a million e-mails
    and gets back 100 replies that yield positive data. There is almost no
    effort involved in sending out the e-mails after the first one, and the
    quality of the return data is very high. No wonder this is such a
    popular business!

    Let's change that. If you get phishing e-mail, go the web sites and
    enter false data. Make up everything -- name, sign-on name, password,
    credit card numbers, everything. Instead of one million messages
    yielding 100 good replies, now the phisher will have one million
    messages yielding 100,000 replies of which 100 are good, but WHICH 100?

    This technique kills phishing two ways. It certainly increases the
    phishing labor requirement by about 10,000X. But even more importantly,
    if banks and e-commerce sites limit the number of failed sign-on
    attempts from a single IP address to, say, 10 per day, theft as an
    outcome of phishing becomes close to impossible.

    No bounties are required, no cops, no parallel webmail systems that
    force us to log-in to e-commerce sites when they tell us to. Phishing
    just becomes a very unprofitable business, which it should be.

    Are you in?
    anthonyberet, Jun 11, 2005
    #1
    1. Advertising

  2. anthonyberet wrote:

    > Are you in?


    So I'm to sit down and spend my time filling out false information on
    forms day in and day out to cover up the phishers with bad data? It's
    pure wishful thinking that a million internet users are going to band
    together and put the phishers out of business.
    =?ISO-8859-1?Q?R=F4g=EAr?=, Jun 11, 2005
    #2
    1. Advertising

  3. anthonyberet

    cnw Guest

    begin anthonyberet <> wrote:

    > Very simple and interestig idea here:
    > http://www.pbs.org/cringely/pulpit/pulpit20050602.html
    >
    > Full text :

    [snip]

    > Let's change that. If you get phishing e-mail, go the web sites and
    > enter false data. Make up everything -- name, sign-on name, password,
    > credit card numbers, everything. Instead of one million messages
    > yielding 100 good replies, now the phisher will have one million
    > messages yielding 100,000 replies of which 100 are good, but WHICH 100?
    >
    > This technique kills phishing two ways. It certainly increases the
    > phishing labor requirement by about 10,000X. But even more importantly,
    > if banks and e-commerce sites limit the number of failed sign-on
    > attempts from a single IP address to, say, 10 per day, theft as an
    > outcome of phishing becomes close to impossible.


    I agree it would be good to provide false data to these criminals. Hell, I
    get enough of this shit in my mailbox to kind of like the idea.

    However, this approach suffers from at least two flaws that I can think of.
    Firstly, credit card numbers have check digits acting as a simple form of
    validation. If this form of revenge started to become widespread, all the
    scammers would have to do would be to use this validation check (if they
    don't already), and discard all non-validated numbers.

    The answer here would be to only provide validated numbers. This is
    possible, of course, but hardly likely to happen. Most people would find it
    far easier to simply delete the mail.

    Which brings me to the second flaw, already mentioned elsewhere in this
    thread: People will simply not be bothered to enter all this information,
    particularly for each and every one of these messages. Now if this part of
    the process could be automated...

    For now I think I'll continue to report this junk by forwarding the messages
    (including headers) to spoof <at> ebay.com or spoof <at> paypal.com, etc.

    Neil.
    --
    A: Because it messes up the order in which people normally read text.
    Q: Why is top-posting such a bad thing?
    A: Top-posting.
    Q: What is the most annoying thing on usenet and in e-mail?
    cnw, Jun 11, 2005
    #3
  4. anthonyberet

    Joel Rubin Guest

    On Sat, 11 Jun 2005 19:59:15 +0100, cnw <> wrote:

    >However, this approach suffers from at least two flaws that I can think of.
    >Firstly, credit card numbers have check digits acting as a simple form of
    >validation. If this form of revenge started to become widespread, all the
    >scammers would have to do would be to use this validation check (if they
    >don't already), and discard all non-validated numbers.


    It's easy enough to get the checksum to work if you want. There are
    plenty of number checkers around and if you have a bad checksum just
    change one of the numbers that is only counted once to fix it.
    (Checksums involve adding in alternate digits once and twice.)

    of course, you could try posting gobs of sh*t to the form page. In
    most cases, the form page doesn't do any checking and emails to a web
    account. I guess this is a bit like mailbombing 419ers except that you
    don't know the address unless the website is badly configured.

    What would be really nice would be to post trojan credit card numbers.
    (Credit card numbers which are on some sort of police watch list.)
    Maybe some of the credit card companies and or banks could start doing
    this.
    Joel Rubin, Jun 11, 2005
    #4
  5. anthonyberet

    dwacon Guest

    "anthonyberet" <> wrote in message
    news:...

    > No bounties are required, no cops, no parallel webmail systems that force
    > us to log-in to e-commerce sites when they tell us to. Phishing just
    > becomes a very unprofitable business, which it should be.
    >
    > Are you in?



    I think we should pull the troops from Iraq and have them go to the front
    door of spammers and phishers and blast them with no fewer than 250 rounds
    of high caliber ordinance.

    Then confiscate all of their goods... their house (minus the parts with
    bullet holes)... their car... their jewlery... their bank accounts.
    Basically, what the DEA does to drug dealers. Take everything and put it in
    a fund and use it to fund something socially conscious... like having
    Haliburton provide lunches to underprivileged school kids...



    --
    Give Dad the BEST Father's Day Ever!
    http://www.dwacon.com/holidays/fathers_day.html




    ---
    avast! Antivirus: Outbound message clean.
    Virus Database (VPS): 0523-8, 06/11/2005
    Tested on: 6/11/2005 8:30:42 PM
    avast! - copyright (c) 1988-2005 ALWIL Software.
    http://www.avast.com
    dwacon, Jun 12, 2005
    #5
  6. anthonyberet

    joevan Guest

    On Sat, 11 Jun 2005 20:30:38 -0400, "dwacon"
    <> wrote:

    >I think we should pull the troops from Iraq and have them go to the front
    >door of spammers and phishers and blast them with no fewer than 250 rounds
    >of high caliber ordinance.
    >
    >Then confiscate all of their goods... their house (minus the parts with
    >bullet holes)... their car... their jewlery... their bank accounts.
    >Basically, what the DEA does to drug dealers. Take everything and put it in
    >a fund and use it to fund something socially conscious... like having
    >Haliburton provide lunches to underprivileged school kids...

    I like that, pull it off and you can be the next president.
    I'll vote for you anyway.

    --
    "Politicians are like diapers. They should both be changed frequently
    and for the same reason."
    joevan, Jun 12, 2005
    #6
  7. X-No-Archive: Yes

    In news:,
    Rôgêr <> typed
    || anthonyberet wrote:
    ||
    ||| Are you in?
    ||
    || So I'm to sit down and spend my time filling out false information on
    || forms day in and day out to cover up the phishers with bad data? It's
    || pure wishful thinking that a million internet users are going to band
    || together and put the phishers out of business.

    Not to mention all the extra useless packets of crap floating around,
    slowing my internet connection, clogging up my ISP's mail server, etc.

    The easiest way to not get caught by phishing exercises it to realise that
    financial institutions simply don't request this information via email.
    Robert de Brus, Jun 12, 2005
    #7
  8. dwacon wrote:

    > I think we should pull the troops from Iraq and have them go to the front
    > door of spammers and phishers and blast them with no fewer than 250 rounds
    > of high caliber ordinance.


    High caliber ordinance -- that's a large law, right? :)

    --
    Blinky Linux Registered User 297263
    Killing all Usenet posts from Google Groups
    Info: http://blinkynet.net/comp/uip5.html
    *ALSO contains links for access to the NON-BETA GG archive interface*
    Blinky the Shark, Jun 12, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joe Filla
    Replies:
    0
    Views:
    2,750
    Joe Filla
    Dec 4, 2003
  2. =?ISO-8859-1?Q?R=F4g=EAr?=

    Resusitate a drowning cat

    =?ISO-8859-1?Q?R=F4g=EAr?=, Sep 29, 2005, in forum: Computer Support
    Replies:
    11
    Views:
    706
    Brian
    Sep 30, 2005
  3. Hans Kruse

    Re: Drowning in photos

    Hans Kruse, Jul 16, 2008, in forum: Digital Photography
    Replies:
    23
    Views:
    773
    Hans Kruse
    Jul 18, 2008
  4. Re: Drowning in photos

    , Jul 17, 2008, in forum: Digital Photography
    Replies:
    3
    Views:
    314
    jeecee
    Jul 17, 2008
  5. Greg Campbell

    Re: Drowning in photos

    Greg Campbell, Jul 18, 2008, in forum: Digital Photography
    Replies:
    2
    Views:
    306
    Paul Furman
    Jul 21, 2008
Loading...

Share This Page