1 / 10

The Future of Phishing

The Future of Phishing. Ross Anderson Security Group USEC 2007 15 Feb 2007. Background. Trojan logon scripts in 1970s – now we have ‘trusted path’ (ctrl-alt-del). In 1990, ‘password fishing’ referred to false terminals

milton
Download Presentation

The Future of Phishing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Future of Phishing Ross Anderson Security Group USEC 2007 15 Feb 2007

  2. Background • Trojan logon scripts in 1970s – now we have ‘trusted path’ (ctrl-alt-del). In 1990, ‘password fishing’ referred to false terminals • Social engineering – ‘pretexting’ long used to get passwords (and everything else).Example: bogus bank staff request PIN for stolen card. • Combining these threads: the spelling ‘phishing’ appeared in 1996 in the context of AOL password solicitation

  3. Background (2) • As the security technology improves, attacks will inevitably shift to target people • Our pretexting research in 1996 • Greening, ‘Ask and Ye Shall Receive’, SIGSAC Review Apr 96: 138 of 336 students mailed in a passwordon request; most changed their password • OPSEC is hard enough for staff – next to impossible for customers • 2002: Mitnick publishes “Art of Deception”

  4. Background (3) • First electronic banking service to retail customers – Bank of Scotland 1984 • Account nomination – customer had to specify recipients and limits in writing • Also, one-time passwords (paper list) • Nomination, and distinction between ‘safe’ and ‘dangerous’ transactions, vanished during the dotcom boom • Instead, contract terms used to dump risk

  5. Developments in 2003 • First chip and PIN skimmers appear in Italy • CAPTCHAs take off, initially as a spam countermeasure for email services & blogs • Signs that online criminals were getting organized and specialized – different groups would steal card numbers and do cashout • First six reported cases of phishing for bank passwords

  6. Phishing • ‘Victims are lured by an email to log on to a website that appears genuine but that actually steals their passwords’ • Early attempts were crude and greeedy – but the phishermen learned fast! • Genuine bank emails used, or clever psychology (‘thank you for adding a new email address to your paypal account’) • Losses now 8 figures UK, 9 USA. In UK, one bank took £30m of £36m losses last year • The Rockfish gang

  7. Banks make it worse! • Paypal, Xmas 2006, directs customers to a competition at paypalchristmas.co.uk (owned by a small marketing company) • Halifax Share Dealing Services sent out a spam with a URL not registered to the bank, and its fraud department initially agreed it was a phish (until its was reported to the ISP for takedown)!

  8. Countermeasures • ‘Blame and train’ – long known to not work in safety-critical systems • ‘Check the English’, ‘look for the lock’, ‘click on images but not URLs’, ‘parse the URL’ • Phishermen good at turning advice round • Various psychological reasons why this strategy is unsound (fundamental attribution error, default from ‘physics’ to ‘social’ processsing mode, …)

  9. Countermeasures (2) • Link to machine – password manglers / TC / client certs / browser password cache (but: banks resist mechanisms that stop roaming or that aren’t universal) • Soft keyboards (but: not too hard to defeat) • Toolbars (but: see Jackson et al) • Two-factor (but: real-time man-in-midle) • Multi-channel, such as SMS (but: ?)

  10. What next? • Security in the old days depended on back-end controls, plus front-end authentication • Banks since 2000 or so have tried to get the front end to carry all the load, as it’s easier • I doubt this will work! We should expect the return of back-end controls • Why should a bank customer expect to be able to mortgage his house and send all the money to the Phillippines, from an Internet café in Peshawar? • Liability will also matter …

More Related