On Mon, Jun 9, 2014 at 10:49 AM, Larry Finch <finc...@portadmiral.org> wrote:
> I think that is the reason. Users for the most part are trusting. If an > email says it comes from their bank they believe it. Most banks have gone > to great lengths to make it easy to verify that a message really comes from > the bank, such as including an account balance, or the last N digits of the > account number. But if the message appears to come from the bank but > doesn’t have verification data they don’t notice that it doesn’t and click > on the link anyway. I’m pessimistic that anything can ever be done with the > invisible parts to prevent phishing scams and spam, because all the message > has to say it is from the bank and enough users will be fooled by it to > keep the cyber criminals in business. Some phishing emails even attempt to > spoof the bank verification by showing the FIRST 4 digits of the account > number, which, of course, is unique for each issuer. See Brian Krebs’s blog > (http://krebsonsecurity.com/) for just how big a business cyber crime is. > It isn’t going to give up its multi-$billion revenue stream easily. > > User education (if that is possible) is the best defense. > I seem to recall a presentation some years ago that discovered over 18% of users go through their spam folders and fall for phishes found in there, on the basis that the spam filtering might cause them to miss something important. One can easily conclude that user education is an uphill battle, or at least hasn't worked thus far, and opt for solutions that try to take the user out of that decision process. This is why S/MIME, though quite possibly a workable solution, is routinely disqualified. It's interesting, but also sad for email, that Kaiser (and perhaps others) has decided this problem is intractable. Now, when my doctor sends me a message, I get an email asking me to go to their web site to retrieve the message. It's a bit annoying to have to log in to a web site to read a single message, but we're guaranteed mutual authentication and message security that way. -MSK
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
