--On 21 January 2009 00:56:55 +0000 John Levine <johnl(_at_)taugh(_dot_)com>
wrote:
Let's say you get a message from security(_at_)pay-pal(_dot_)com, which is 100%
DKIM, SPF, and Sender-ID approved. Is that Paypal? How can you tell
short of manually looking up WHOIS registrations?
Well, without all those technologies, it's simple to simply use paypal's
domain. Then there's no clue. Now, if you use a look-alike domain name,
then you're probably violating the trademark. That's illegal, ...
Uh, dude, we're talking about phishing here. If that's not already
illegal in Australia, I think I've found a major recession-resistant
business opportunity.
Phishing illegal? I don't know about Australia, but I don't think there are
specific anti-phishing laws in the UK. Certainly, fraud perpetrated with
information gained by phishing is illegal. It's fraud. It could be argued
that the Phishing attempt itself is a form of fraud, but probably only if
you actually do something with the information gained.
My point about trademarks is that registering a domain that could be easily
confused with a trademark is illegal. Therefore, it's reasonable to code
phishing defences that rely in whole or in part on detecting sender address
domains that are similar, but not identical, to trademarked domains.
This means that technical measures to protect a domain from precise forgery
can be supplemented with technical measures to protect near matches to
those domains. Thus mitigating (not eliminating) the problem.
[Whether it's legal or not, it is a business opportunity. It's probably not
totally recession-resistant because recession probably reduces the gains to
be had.]
R's,
John
PS:
Is there actually any point in trying to solve phishing issues by
verifying the origin of email if the customer is going to depend on
a known-insecure web-browser?
Maybe. One of my bank accounts requires me to use a physical dongle
to generate a code number. I expect in the future they'll give you a
USB dongle with a small screen and a couple of buttons so you do most
of your banking session on the computer, but when you hit go, the
dongle lights up with the details of the transaction the bank is about
to do and you have to push YES or NO on the dongle to confirm. That
seems like it could be made reasonably secure.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
--
Ian Eiloart
IT Services, University of Sussex
x3148
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg