On Thu, 2004-06-03 at 20:20, Michel Py wrote:
This is a social problem though, and I'm not sure it
has a valid technical solution.
It does not. Some of the potential marks will not fall for it, but
remember that con-art is all about art: if the phishing web site looks
and feels like the real one, most of the marks that fall for the scheme
will fall even if they are little discrepancies. Web sites do change
often these days and we got used to this fact; the clever phisher has a
checking account with bigbank anyway just to capture logos and artwork
on the customer website. As long as the little yellow padlock is there,
Photoshop and JavaScript can do it.
Exactly -- and in light of this, header field verification just ends up
being a feel-good security measure. The real solution is education, and
providing the tools to allow users to make more informed decisions.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>