The Future of Phishing - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

The Future of Phishing

Description:

Losses now 8 figures UK, 9 USA. In UK, one bank took 30m of 36m losses last year ... bank customer expect to be able to mortgage his house and send all the money to ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 11
Provided by: mkb2
Category:
Tags: future | mortgage | phishing | uk

less

Transcript and Presenter's Notes

Title: The Future of Phishing


1
The Future of Phishing
  • Ross Anderson
  • Security Group
  • USEC 2007 15 Feb 2007

2
Background
  • Trojan logon scripts in 1970s now we have
    trusted path (ctrl-alt-del). In 1990, password
    fishing referred to false terminals
  • Social engineering pretexting long used to
    get passwords (and everything else).Example
    bogus bank staff request PIN for stolen card.
  • Combining these threads the spelling phishing
    appeared in 1996 in the context of AOL password
    solicitation

3
Background (2)
  • As the security technology improves, attacks will
    inevitably shift to target people
  • Our pretexting research in 1996
  • Greening, Ask and Ye Shall Receive, SIGSAC
    Review Apr 96 138 of 336 students mailed in a
    password on request most changed their password
  • OPSEC is hard enough for staff next to
    impossible for customers
  • 2002 Mitnick publishes Art of Deception

4
Background (3)
  • First electronic banking service to retail
    customers Bank of Scotland 1984
  • Account nomination customer had to specify
    recipients and limits in writing
  • Also, one-time passwords (paper list)
  • Nomination, and distinction between safe and
    dangerous transactions, vanished during the
    dotcom boom
  • Instead, contract terms used to dump risk

5
Developments in 2003
  • First chip and PIN skimmers appear in Italy
  • CAPTCHAs take off, initially as a spam
    countermeasure for email services blogs
  • Signs that online criminals were getting
    organized and specialized different groups
    would steal card numbers and do cashout
  • First six reported cases of phishing for bank
    passwords

6
Phishing
  • Victims are lured by an email to log on to a
    website that appears genuine but that actually
    steals their passwords
  • Early attempts were crude and greedy but the
    phishermen learned fast!
  • Genuine bank emails used, or clever psychology
    (thank you for adding a new email address to
    your PayPal account)
  • Losses now 8 figures UK, 9 USA. In UK, one bank
    took 30m of 36m losses last year
  • The Rockfish gang

7
Banks make it worse!
  • Paypal, Xmas 2006, directs customers to a
    competition at paypalchristmas.co.uk (owned by a
    small marketing company)
  • Halifax Share Dealing Services sent out a spam
    with a URL not registered to the bank, and its
    fraud department initially agreed it was a phish
    (until its was reported to the ISP for takedown)!

8
Countermeasures
  • Blame and train long known to not work in
    safety-critical systems
  • Check the English, look for the lock, click
    on images but not URLs, parse the URL
  • Phishermen good at turning advice round
  • Various psychological reasons why this strategy
    is unsound (fundamental attribution error,
    default from physics to social processsing
    mode, )

9
Countermeasures (2)
  • Link to machine password manglers / TC / client
    certs / browser password cache (but banks resist
    mechanisms that stop roaming or that arent
    universal)
  • Soft keyboards (but not too hard to defeat)
  • Toolbars (but see Jackson et al)
  • Two-factor (but real-time man-in-midle)
  • Multi-channel, such as SMS (but ?)

10
What next?
  • Security in the old days depended on back-end
    controls, plus front-end authentication
  • Banks since 2000 or so have tried to get the
    front end to carry all the load, as its easier
  • I doubt this will work! We should expect the
    return of back-end controls
  • Why should a bank customer expect to be able to
    mortgage his house and send all the money to the
    Philippines, from an Internet café in Peshawar?
  • Liability will also matter
Write a Comment
User Comments (0)
About PowerShow.com