People need to rely on their common sense. This isn't a technical
problem. It is a social engineering problem. Your best bet is to read
Kevin Mitnick's book "The Art of Deception". Of course, there will be
instances were banks will send their customers emails. But you should
treat those emails with the same degree of caution that you treat other
communications. People are going to buy things over the net, and they'll
also get emails with links in them. Not all of those emails are going to
be genuine. Not all will be fake, either.
The scenario "your account has been hacked, you need to act fast and give
out your confidential finanical information" is never a realistic scenario
for a financial or other institution. People need to know that when
someone tries to rush them, they need to be suspicious. The communication
media format used (phone, email, physical presence) doesn't matter. If
people are savvy enough to know that the person on the phone or at the
door might not really be from the bank, they should be savvy enough to
realize that the email they just got might not really be from the bank
either. Common sense usually suggests the right answer to a particular
case. But, some people are going to be duped, anyway. People are taken
in by "Matchstick Men" (movie with Nicholas Cage playing a con-artist)
every day. There is nothing that can be done technically to protect them.
--Dean
On Sun, 21 Dec 2003, Parry Aftab wrote:
I agree. But frankly many Internet users (if not most) are already
distrustful and at the same time we want to teach them to be cautious,
asking them to pull a bank statement and compare telephone numbers when
they have just been told their account has been hacked and they need to
act fast, isn't realistic. Is it enough to say "never give out this
information pursuant to an e-mail, or link sent to you online, or via
phone for that matter?"
While we can always argue the societal issues, I was hoping you techies
could help me on hard tech tips :-)
Parry Aftab
-----Original Message-----
From: Dean Anderson [mailto:dean(_at_)av8(_dot_)com]
Sent: Sunday, December 21, 2003 4:45 PM
To: Mark Smith
Cc: shogunx; franck(_at_)sopac(_dot_)org; ietf(_at_)ietf(_dot_)org;
parry(_at_)aftab(_dot_)com
Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone
post this for me? or allow me to post directly?]
Most scams involve things that the institutions themselves would never
do,
such as calling you on the telephone or sending as email to have you
update your confidential finanical information.
The email scams are fundamntally no different from telephone scams or
door-to-door confidence scams, where the "bank" (imposter) calls you and
asks you for confidential information. The real institution already has
this information, and they don't need it again.
The question of how to verify the Website is the wrong question to ask.
Assume you can't verify it, and instead get the website address, phone
number, etc from your genuine bank statement. If you get something
unusual or confusing, print it out and take it to your financial
institution.
--Dean
On Sun, 21 Dec 2003, Mark Smith wrote:
And don't trust emails asking for sensitive information. Verify their
requests independantly via the phone, for example, and just _don't_
use
a phone number that is supplied in the email.