On 3/31/06, Mike Nice <[EMAIL PROTECTED]> wrote: > > > http://www.hexview.com/sdp/node/24 > > > > (Show this article to your computer-illiterate spouse to confuse him/her > > even more :) > > Better yet, do the right thing and implement Tip #4: Go to the secure > SSL login page of your bank. Verify the URL. Verify that the SSL > certificate was issued to your bank by examining its properties. Now > bookmark the SSL page. Tell your computer-illiterate spouse to *always* go > to the bank login via favorites with the page you just bookmarked. If there > are any popup warnings from the browser [such as from certificate name > mismatch], do no log in. This catches all variations of Pharming, > man-in-the-middle, and type-alike sites. It offers no protection from > local trojans/keyloggers. >
I'll agree that Step #4 protects against one variant of the phish attack. But there are so many others: 1) Any different social engineering besides "login to your bank account". For example, "Chase will pay you $20 to fill out a short survey!" (of course, after filling out the survey you must provide your debit card number or account login information to get the $20). Another example is spoofing a retailer's site to get debit and credit card information, or spoofing the IRS. 2) Any attack against the user's computer. Keyloggers, software that listens for an authenticated connection than inserts transactions, host file alterations. 3) Any attack that spoofs the SSL cert box (The Codefish web site had a good example...what ever happened to Codefish, anyway?...pharming, MITM, and type-alike can fit in here, too) Honestly, the only way to defeat phishing is to improve computer configurations and managment, to educate users, and to allow only smart users near the Internet. None of those is likely to happen, so we'll have to deal with phish forever. That's just like in the physical world. After thousands of years, we still have people performing con jobs. -- Although I've found many nuts, I'm back to being anonymous, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/