{"id":480,"date":"2006-06-18T16:49:22","date_gmt":"2006-06-19T00:49:22","guid":{"rendered":"\/?p=480"},"modified":"2006-07-21T22:07:17","modified_gmt":"2006-07-22T06:07:17","slug":"gone-phishing","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=480","title":{"rendered":"GONE PHISHING"},"content":{"rendered":"

My friend and colleague Steven Woodward has started a blog at Steve's Identity Corner<\/a>.  He told me he will be writing about uses for Information Cards emerging from his conversations with customers.  For now he is structuring his pieces around a look at phishing – he'll be drilling down into how Information Cards help address the problem. <\/p>\n

Over the last few years we have all experienced the constant barrage of Phishing attacks. These are not only a pain for all of us as end users, as we carefully pick through our email trying to figure out what\u00e2\u20ac\u2122s real and what isn\u00e2\u20ac\u2122t, but also an unending headache for those trying to run the commercial web sites we link to.  So let\u00e2\u20ac\u2122s take a step back for a moment  to look at how these attacks are possible, after all we\u00e2\u20ac\u2122re smart people we shouldn\u00e2\u20ac\u2122t be fooled that easily \u00e2\u20ac\u00a6.<\/p>\n

There are three distinct steps to any Phishing attack for the sake of making this simple let\u00e2\u20ac\u2122s just call them Casting the Bait<\/em>, Reeling in the Catch<\/em> and Stealing the Prize<\/em>.<\/p>\n

Casting the Bait<\/em><\/strong> \u00e2\u20ac\u201c since the initial goal of the phisher is to get you to go to their web site the first thing to do is to deliver you a URL in an email message. This email has to convince you that not only is it from a real company but that you should take the additional action of clicking on the link it contains. We\u00e2\u20ac\u2122ve all seen the \u00e2\u20ac\u0153there has been a change in your account details and we need you to verify them\u00e2\u20ac\u009d email, complete with nice graphics and company logo\u00e2\u20ac\u2122s from a familiar company. The first few times we see these we naively click on the link and off we go to who knows where to try and verify our account details. Of course given the amount of spam we all receive it\u00e2\u20ac\u2122s not surprising that at times it\u00e2\u20ac\u2122s hard for us to tell the good mail from the bad. In recent years many efforts have been made to reduce the amount of spam and as the junk mail filters have become more sophisticated we are weeding out a lot more than we used to, but there is still more work to be done.<\/p>\n

Reeling in the Catch<\/em><\/strong> \u00e2\u20ac\u201c have you ever thought about how easy it is to fake a web site, think about that for a moment if I go up to any webtsite today I bet I can copy half their logo\u00e2\u20ac\u2122s and art work straight off of their home page. In no time at all a half decent web designer could mock up a site that is close enough to the real thing to fool 90% of the people who saw it.<\/p>\n

In fact that\u00e2\u20ac\u2122s what Researchers at Harvard University and UC Berkeley<\/a> did in order to do some research on Phishing. Now compare that with how hard it is to fake a real brick and mortar business, say a bank or a book store. One of the reasons so many people get phished is because it is very hard for most users to tell the difference between a fake site and the real site. In fact many users today have no idea what any of the so called security measure\u00e2\u20ac\u2122s we have in place today even mean. Ask some of your non-technical friends to explain what an SSL certificate is and how they can tell when a site has one. Now ask them how they know that\u00e2\u20ac\u2122s a real cert and not one that was issued to a spurious company in Nigeria. On the whole we as an industry have come up pretty short in terms of protecting our users from going to sites that they can\u00e2\u20ac\u2122t identify.<\/p>\n

Stealing the Prize<\/strong><\/em> \u00e2\u20ac\u201c in many cases the prize is your username and password. Firstly this is because the Phisher can now get access to the site that they faked, secondly the chances are you also use that username and password other places, and they are going to go after those too.<\/p>\n

But wait. I hear you cry, “I have several passwords that I use on different sites depending on the value associated with an account.”<\/p>\n

So imagine this, you get tricked into going to a fake site, it asks you for your username and password, you type them in and \u00e2\u20ac\u0153User Authentication Failed, please try again\u00e2\u20ac\u009d. So you think to yourself maybe I used one of my other username and password pairs, so you try again, and fail. Eventually you think maybe I just typed the password wrong the first time! So you re-enter it and the site lets you in (and redirects you to the real site), now the Phishing site not only has the username and password for the site they faked, but chances are they also stole the other 4 combinations you use.<\/p>\n

And yes this happened to someone I know, oops. So username and passwords aren\u00e2\u20ac\u2122t solving the problem today of how we get users to authenticate to our sites. And we need to keep it simple enough that all users from the technically savvy to novice users can just as easily and securely authenticate, without the need for username and password.<\/p>\n

As you can see the method of attack is pretty straightforward and if wasn\u00e2\u20ac\u2122t for the fact that we prefer to operate on the right side of the law, I\u00e2\u20ac\u2122m sure we could all make a pretty decent living doing it. One of the big challenges for us as an industry is that it covers multiple technologies email clients, browsers, SSL certificates and user authentication systems, all of which may be provided by different vendors, any one of which doesn\u00e2\u20ac\u2122t feel like they can solve the problem.<\/p>\n

Over the next few weeks I\u00e2\u20ac\u2122m going to cover each of these topics and explain the work that we are doing here at Microsoft to address  these issues and in addition other industry wide efforts I come across. I\u00e2\u20ac\u2122m not saying that we can stop these attacks completely but by changing the rules a little we can at least start to fight back. Lets face it we are dealing with some pretty sophisticated criminals intent on stealing from all of us if they can, we just have to make it a lot harder for them to do their job.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

There are three distinct steps to any Phishing attack.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/480"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=480"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/480\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=480"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=480"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=480"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}