Comments on: Don’t Use Email Like a Stupid Person

By: Emergent Chaos

Emergent Chaos — Thu, 25 Aug 2005 17:55:40 +0000

“Preserving the Internet Channel Against Phishers”

I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel…

By: jhlipton

jhlipton — Fri, 19 Aug 2005 20:04:32 +0000

If my bank sends me a url to go to I ignore it and go to the secure URL I know. The same with email from my ISP, I go to their site and send a copy of the eMail. I assume that anyone asking me for confidential information is phishing. Duh, yeah. That goes for all my accounts. If I get a mail from XYZ, I'll navigate to XYZ's home site, login, and track the message from there. I like getting reminders and receipts in my mail. Doesn't mean I have to clicky-click on any of them!

By: Iang

Iang — Tue, 16 Aug 2005 07:43:14 +0000

You are right about the arms race, but the suggestions are only the beginning. The phishing thing is now institutionalised, and it is beyond the ability of bank sites to solve it. That’s been the case for about 1-2 years now.
Which isn’t to say that those things on the list shouldn’t be done, but it’s fighting last year’s war.

By: Eleanor

Eleanor — Sun, 14 Aug 2005 08:01:11 +0000

My bank doesn’t know my email address. They asked for it, but I refused to give it to them because they didn’t need it – they would have sent me my passcode etc. by snail mail anyway. That way, I know that every email I get from them is spam.

By: Extra

Extra — Sat, 13 Aug 2005 17:34:45 +0000

The simplest security is to never respond to a URL in eMail.
If my bank sends me a url to go to I ignore it and go to the secure URL I know. The same with email from my ISP, I go to their site and send a copy of the eMail. I assume that anyone asking me for confidential information is phishing.

By: Clifton Royston

Clifton Royston — Fri, 12 Aug 2005 22:39:09 +0000

Sorry, whoever told you Schwab is doing that is just plain wrong. I just reviewed my June email bulletin from them.
1) It is in HTML. 2) It contains numerous direct links to the Schwab website. It teeters on the edge of violating 3) in that all the links are of the form http://q1.schwab.com/s/r?l=suppressed&m=suppressed. I suspect the q1 is delegated to Quris which is the mailer they outsource to. If you expect the average user to recognize that, for instance, q1.schwab.com (or http://www.hostedapp.bigbank.com) is legitimate but that http://www.schwab.com.secure-users.com is not, I think you are expecting vastly too much sophistication from them. I am already seeing some phishes using the latter style of URL.
A broader problem is that this solution will work only to the extent that most users understand the difference between ASCII mail and HTML mail and can clearly distinguish between them – this will probably only be achieved if tens or hundreds of millions of users stop using Outlook Express. Then there’s the difficulty of simply convincing management at thousands of banks to listen to security authorities and ignore their marketing departments (who want to use HTML). Your proposal would greatly help – but it requires big changes in institutional and individual behavior. That’s not easy.

By: Jamie Flournoy

Jamie Flournoy — Fri, 12 Aug 2005 21:21:56 +0000

>We couldn’t do that if we had to have the software in their domain withough having
>to do production moves on their web servers
On the internet, a “domain” doesn’t mean a server or hosting facility. “Domain” means “domain name”, as in the thing in the browser location bar, which is mapped to one or more IP addresses. The address is what’s tied to a server and/or physical hosting facility.
Get the bank to set up a subdomain for you, like hostedappco.bigbank.com. That can be served by a separate name server you control, and has nothing at all to do with making you deploy your apps on their web servers. Then you can set http://www.hostedappco.bigbank.com to point at whatever server you like.
Alternatively they could just point http://www.hostedapp.bigbank.com at your server’s IP address, which takes flexibility away from you (you can’t change your IP without co-ordinating the name change with them) but gives them a sense of security.

By: mario contestabile

mario contestabile — Fri, 12 Aug 2005 16:23:29 +0000

Hi Adam.
On the subject of phishing, I am currently examining adding this as a new service in upcoming versions of our security suite software.
You may know that:
- IE 7 includes anti-phishing
- MS has chosen a partner I’ve reviewed, Whole Security in Austin(http://www.wholesecurity.com/news/index.html)
Of course, our solution will be browser independent due to my http proxy.
By the way, I do have an RSS feed ;-)
http://bubbler.net/feeds/560399/notes.xml
talk soon

By: hervey smoots

hervey smoots — Fri, 12 Aug 2005 15:14:06 +0000

Unfortunately, the “don’t put your banking software anywhere but on your server” thing might not work–I work for a company that makes this kind of software, and we (and many of our competitors) host the banking sites ourselves. We couldn’t do that if we had to have the software in their domain withough having to do production moves on their web servers–not something that’s terribly acceptable to the banks for security reasons, understandably enough.

By: Seth Gordon

Seth Gordon — Fri, 12 Aug 2005 09:22:10 +0000

Bankruptcy is too kind a fate for UAL. Their board of directors should be lined up before a firing squad on the tarmac of Denver International Airport.