I guess my real bone is that there's been a growing conflation, to my
thinking, of authentication vs UBE. Fraudulent messages needn't be
bulk, and not even particularly unsolicited, and unsolicited bulk
email needn't be fraudulent.
All quite true. I went to a meeting a month ago of the Anti-phishing
Working Group which despite its funky name consists of big banks, big
ISPs, and big law enforcement with a smattering of software vendors
and a few tourists like me. Phishing is as bad a problem as spam, but
it's less well known because the primary targets are large
organizations that tend not to talk about it other than to each other.
They're now seeing upwards of 12 distinct attacks per day with the
most common targets being eBay, Citibank, and Paypal.
Some phishing is done by broadcast spam, but a lot is carefully
targeted, e.g., at foreign holders of US bank accounts who often fall
for the verify your account scam. Losses are large. At the meeting a
guy from the Department of Justice talked about cases with six and
occasionally seven figure losses, and people going to jail for many
years.
Phishing entirely depends on authentication failure. A web site,
e-mail, or other message looks like it's from a large familiar
organization, but it's not. At the moment, there's little they can do
to prevent it. SSL is no help since any crook with $50 can get a 100%
genuine SSL certificate that works in all of the browsers and mail
programs people use, that proudly certifies that a web page or e-mail
is truly from CITIBANK-ACCOUNTS.COM which, of course, is not Citibank.
I suggested that since the banking industry is heavily regulated and
in the US there's no question who's a bank and who isn't, they need a
distinctive signer who only signs for banks with a trademark that
could be advertised for brand awareness. ("It's not from your bank
unless it has a Golden Dollar Sign in the corner.") A guy from the
FDIC said they've been thinking about it.
This could help the phishing problem, at least the part of it that's
against banks, but I don't see any extension to dealing with spam.
It's pretty clear that pure authentication agents don't work, because
the costs and benefits don't work. Most people aren't willing to pay
$5000 for a signer to send someone out to do a background check and a
personal visit, nor are they even willing to go to PGP signing fests,
but without some sort of real world check, it's just pushing paper
around.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg