On Thursday September 30, winserver(_dot_)support(_at_)winserver(_dot_)com
wrote:
----- Original Message -----
From: "Ryan Malayter" <rmalayter(_at_)bai(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Cc: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, September 30, 2004 2:09 PM
Subject: RE: [spf-discuss] The pretty name
minor problem that is already addressed in other ways.
I think the banking industry would think phishing is more than a "small
problem". Hundreds of millions of dollars per year are lost to phishing
attacks. I would say drastic measures are called for. And this problem
is NOT already addressed in other ways.
Why doesn't CITIBANK.COM and others with the problem add an SPF record?
Doesn't seem like Citibank.com is really interested in doing what it can to
help address it. By doing so, if we have any citibank users on our system
and others with SPF support, they are protected.
I must admit that I'm often surprised that people talk about phishing
in the same context as SPF and MARID as much as they do.
I see almost no connection at all.
Phishing *isn't* primarily about mail forgery. It is about human
naivety and poor security practices at banks.
I bank with "westpac" (among others).
One of the most convincing phishing mail items I have ever received
came from some address @westpac.info which is not the domain that
westpac uses. No amount of technology would have helped a naive
recipient realise that this was a fake, as it came from the IP address
belonging to westpac.info.
If banks want to stop phishing, all they need to do is improve
authentication of unusual transactions. Whenever I add a new
destination for my funds, there should be some out-of-band or
call-back mechanism whereby the bank confirms that it really is me
performing this new transaction, and not someone who has stolen my
password. They could ring me up, or send me a challenge in an email,
and possibly require me to use gpg signing in the reply.
None of this is rocket science. I suspect that the reason that banks
aren't doing it en-mass is that it makes life less convenient for
customers and they are afraid their customers will defect to another
bank.
Westpac has taken a small step in this direction - when I add a new
payee, payments will be delayed by upto 2 days. I have no idea what
they do during those two days. The chance of me checking my transactions
in those 2 days is minimal (though if they were to email me every new
transaction, it has a somewhat better chance of success). As I say, a
"small" step.
So in summary, while phishing may be a multi-million dollar problem
for banks, it has virtually nothing to do with forged domains in
Email.
NeilBrown