There’s a free webcast that ISSA published today called No Phishing Allowed (just click submit, you don’t actually have to register), sponsored by Mirapoint. It’s a fairly interesting talk if you aren’t super familiar with the phishing world. I kinda feel bad, because most of what they said feels like bunk to me.
Peter Firstbrook from Gartner spent a lot of time talking about the transport mechanism (they are assuming email, which is a good assumption). SenderID, DomainKeys, SPF records, blah blah… yes, email security is good, no, it won’t help. What? The email is now secure! Well, yes, except then the bad guys will just start using email@example.com instead. They really don’t care. And users, bless their heart, will still fall for it.
Then he went to the bad place and mentioned two factor authentication (like SecurID). I have no problem with the concept of second factor authentication, but it’s NOT a good security mechanism for most people - people who are too close to the security world always seem to gravitate towards hardware devices, which just happen to be the least usable and often the least accessable. It’s okay when you are talking about an IT security policy, where you force your users to have one, but guess, what? There are choices. I’m not going to buy a token every time I want to do business online. And btw, at one point I had three tokens.
Now do I need to carry around a token keychain? Dumb. AOL tried it. Are they still getting phished? You betcha. In their defence they did make people pay for it - “Pay to be secure on our site.” “But I thought I was secure.” “Well, sorta, mostly, but you’re even MORE secure if you buy our dongle that still suffers from MITM attacks. Oh, yah, and btw, your identity can still be stolen, they just won’t be able to log into your account. Oh, and sorry, if you’re blind, you have to be insecure.” And don’t even get me started on federation of tokens. I could rant for a week on that one. There apparently are some sites who have tried it and succeeded - I’m aware of Credit Suisse, Etrade and a few European banks that have used pin and tan cards, but they are not ecommerce sites. If Amazon could do it successfully, I’d be amazed.
Lastly, he mentions educating users. Okay, I’ve said it before, but apparently they didn’t read my blog. Education doesn’t work! You cannot train someone how to be secure. The best you can hope for is to train them to not open their spam bucket, but even that is pressing it. Users are users, and as long as there is enough idiots out there, the phishers will continue to make their billion dollars a year. I’ve worked for a number of companies with millions of users. It doesn’t work. I’ve tried. Trust me on this. You cannot train your users to know the difference between real email and fake email. That is the job of security companies (like Mirapoint or Symantec, or anyone else in the business) to handle. When you make dumb users understand things, you get dumb users who think they understand things, but really don’t, but swear they do.
Beyond security companies it’s the duty of browser manufacturers to get on board with it and help solve the problem. If they don’t, consumers will lose confidence and abandon online shopping - it’s a real threat, I’m not kidding, and big companies like Microsoft are scared shitless, as they should be. But they’re also making good strides to detect the problem in future versions of the browser. Netscape is already doing it with a feed from the Symantec owned WholeSecurity which maintains the PRN (Phish Report Network). Firefox, to my knowledge, is obstaining.
Anyway, it is an interesting talk, even if I disagree with a big chunk of it. As a side note, I have a ton of respect for Gartner, I just think a lot of people misunderstand phishing - making it a source of annoyance for yours truely.