ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Symptoms vs. Causes (was next step on web phishing draft)

2007-09-10 18:09:04
from [Bernard Aboba] [Permanent Link] 
Michael Dillon said:

"Personally, I would like to see some more criticism of the fact that
this draft is about Phishing, a symptom of security problems, rather
than about strengthening a weakness in Internet security. It is entirely
possible to "solve" the phishing problem without strengthening the
network, and possibly even introducing new weaknesses. Being too focused
on one symptom is not a good way to approach security. Indeed, it is
entirely possible that the solution to phishing lies with the banking
system, not with the Internet or IETF."

I think this is a very good point.  Ultimately, the explosion of attacks 
that we are seeing is fed by the ability of miscreants to convert personal
information into cash.  Phishing is only one avenue for this - the 
miscreants have shown an ability to quickly develop new attacks and 
business models.  

So we need to think carefully about distinguishing symptoms from 
underlying causes.  If we just focus on symptoms, we will be 
playing a game of Wack-a-mole.  For example, the document states that 
anti-phishing measures MUST support passwords, yet with the increasing 
prevalance of key stroke logging malware, it is not clear to me that 
merely avoiding the sending of cleartext passwords over the wire is 
enough. 

In terms of underlying causes, the ease with which personal information 
(social security number, bank account #s, birthdate, etc.) can be 
utilized for identity theft and subsequent fraud is sobering.  A sampling 
of recent stories in the news:

http://www.identitytheftdaily.com/
http://www.forbes.com/feeds/ap/2007/08/16/ap4027723.html
http://www.schneier.com/blog/archives/2005/08/identity_thief.html
http://mortgagefraud.squarespace.com/journal/2004/4/7/id-theft-leads-to-charges-for-six-amerifunding-scheme.html
http://www.usdoj.gov/usao/pae/News/Pr/2006/jul/whitesmith_release.pdf
http://www.courant.com/news/custom/topnews/hcu-mortgage-0828,0,3482889.story
http://money.guardian.co.uk/scamsandfraud/story/0,,1669152,00.html

While I'm willing to accept that many of these stories originate in 
fundamental weaknesses within the financial system, I'm not so sure that 
the IETF has no role to play with respect to development of technology 
that could help. 

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Ietf-http-auth] Re: Next step on web phishing draft (draft-hartman-webauth-phishing-05.txt), Sam Hartman
Next by Date:  Re: Document file names, Spencer Dawkins
Previous by Thread:  Re: Last Call: draft-aboba-sg-experiment (Experiment in Study Group Formation within the Internet Engineering Task Force (IETF)) to Experimental RFC, Keith Moore
Next by Thread:  Re: Symptoms vs. Causes (was next step on web phishing draft), Shumon Huque
Indexes:  [Date] [Thread] [Top] [All Lists]