Slashdot Mirror
Phishing Scams Incorporate SSL Certificates
dettifoss writes "Netcraft reports:
`Internet "phishing" scams are incorporating the use of SSL certificates in their efforts to trick users into divulging sensitive login information for financial accounts.'
Perhaps more disturbingly: `Scammers can also configure their web server so that deceptive SSL certificates won't trigger an alert in the user's browser. "One of the SSL encoding methods is 'plain text'," Neal Krawetz from Secure Science Corporation noted in the SANS post on the issue. "Most SSL servers have this disabled by default, but most browsers support it. When plain text is used, no central certificate authority is consulted and the user never sees a message
asking if a certificate should be accepted.'"
I agree, most users don't even pay attention to the lock.
And even if they do... SO WHAT -- gee your data is encrypted for the 100ms it travels between your PC and the web server.
But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.
But is the web server itself secure? Most aren't... most are written by ASP + PHP programmers who have no clue about SQL Injection.
Excellent point, you have to consider the pinheads who are keeping your credit card data on file as well. Somebody comes by, cracks a few passwords and they walk off with all this data. That's a lot less work than busting SSL.
Average Joe doesn't have any idea what encryption is or why it's important. Average Joe just wants to point, click, and buy. Hell, I rarely pay attention to it.
Isn't it more likely that people were suckered in not because of the SSL trick but rather simply from "scam" or mimic pages instead?
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
What, is this going to trick another 1% of so called "technically adept" people *COUGHmcseCOUGH* into giving their online bank login info over a freakin' website? Who ever ASKS YOU for your login information?! They reset it, and they have you reset it upon login.
Ooooh... Wait a minute. That could be a NEW strain of e-mails... Just takes a little more HTML craftmanship to code a fake E-Mail with a "reset" password, you log into the evil website with it, and enter in your "new" (which would most likely be your old one again, for most people) info. Scary!
It is pitch black. You are likely to be eaten by a grue.
Wasn't the entire point of SSL was to be encrypted? Who's bright idea was it to put plain text in SSL in the first place, much less give browsers support for it?
If I understand correctly, phishing comes into play when users are sent an e-mail with a bogus link. Probably something like "we've detected fraudulent use of your account, please follow this link to verify your information" etc. etc.
There is no reason to follow links in e-mail to get to a site that you regularly use. If you doubt the authenticity of an e-mail from, say, American Express, just visit the site as you usually do, through a bookmark. After logging in you should be able to access the necessary info.
Or worse yet... the people who have the root passwords to the server walk off with the data with no hacking needed.
You can create self-signed certs just as easily with Microsoft's certificate managment tools.
Users are conditioned to click Yes/OK to *any* dialog box that gets in their way, without reading it.
I think you'd be better off asking why the existing laws against fraud and deceptive trade practicees aren't enforced.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Sad thing is, it's getting harder and harder to be able to give them basic advice.
At the rate things are going, you pretty well have to know all the same tricks the spammers/scammers do...
I mean, just the other day, I got a message from PayPal about my account. Oops, I don't have one... Okay, so that would've been my first clue, but it was faked well enough to pass Hotmail's spam filter, and it looked official, like I really had had an account suspended.
So I check the email source, because I know better. Sure enough, it's using the %00 bug to catch IE users. Assuming they would know to look for where the link actually pointed, instead of where it claimed to.
In the mean time, I went to the page. Sure enough, it wants every bit of information imagineable. All the other links off it link to actual PayPal pages... the status bar at the bottom is left blank via JavaScript. So the inobservant and gullible would be hosed...
Naturally, I feed it totally fake information (might as well give them more false data... shouldn't harm anyone, should only help get them caught, I hope), just to see what it does. Sure enough, redirects you to another actual part of the PayPal site. I sent off a LART to the hosting provider's abuse email. No response. I don't consider that a good sign.
Note that no SSL was required here. Just official-looking pages. Granted, I didn't fall for it, but I know more about these exploits than Joe Average. Joe Average probably wouldn't know what was wrong with %00 in a URL if he saw it.
This is sad, too. I've taught classes on this, and I try to teach the class as much as they are capable of understanding. Even so, it's getting to the point where I feel like they need to know at least as much as I do just to avoid these stupid scams. There's a new one made up every day, it seems, and I spend a lot of time just keeping up with what the lowlifes are doing...
So the point of all this? We practically need a "scam report" type of newspaper for the general public. Not to mention a primer detailing the older tricks in the book... not to mention some way to get the average public to read them both.
It is illegal under current laws (Wire fraud, misrepresentation, etc). The hard part is catching them, also there are jurisdiction issues. I mean really there was no need for new murder laws when guns came about. This is fraud, and oftentimes theft plain vanilla crime, but with a new delivery method. Also to be honest, most DAs would probably rather go after child porn then something so unlikely to get there names in the paper as white collar credit card scams
I'd do something interesting, but my server can't handle a slashdotting.
Would there be a way to have the browser display some sort of image transparency on the secure web page?
Given that the problem can be clearly stated and this is software we're talking about, yes -- such a method could easily be implemented. Alternate solutions could be changing the colors for the titlebar/statusbar, unique secure text/mouse cursor icons, flashing page borders, etc. However, if the trust is misplaced (as this article suggests) then all this notification is kind of pointless. User education on top of security-conscious software is still the best way to deal with security concerns.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Let me give you an example. Suppose you're in the nation of Grand Fenwick, and bank with the National Grand Fenwick Bank. I, who live in Mordor, decide to target customers of the National Grand Fenwick Bank, and set up a fake website at http://123.456.789.0/gf.php[1] that mimics their logon screen. I then send out millions of emails to lure customers of NGFB to my website.
Within minutes of these emails being sent, the Powers That Be at NGFB know about the fraud that's being committed in their name. They know what host is hosting the scam. They know (or can easily find out) where the host is located physically. BUT:
- How do they know whether that host is a willing or unwitting party to the fraud?
- How do they prove it, if it's willing?
- If it's unwilling, how do they track down the perpetrator?
- Assuming they can track down the perpetrator, how do they take said perp into custody?
It just so happens that the host is my own, and I'm listed as the registrar. Alas, alack, there is no extradition treaty between Mordor and Grand Fenwick, so all they can do is shout threateningly across the ocean at me, whilst I mock their puny and powerless attempts to bring me to justice.There are too many levels of proof needed to bring a conviction, and even if they're all satisfied, if the perpetrator is in a country such as Russia, all hope goes out the window. In fact, all it takes is one layer -- me hiring a Russian to obtain these details -- to protect me (as long as I'm careful about how I use those details).
The police and fraud departments are aware of these issues, and they're trying to resolve them. Unfortunately, political problems get between the problem and the solution. Things aren't helped when it takes me a half hour to alert the bank and/or police of a currently active fraudulent site...
[1] Yes, I know this is an invalid IP address. You're missing the point.
This is fine by me. Everything up to that point doesn't need to be encrypted. However, the only way to verify that the form (i.e. credit card #) will be sent over HTTPS is to View Source and look for the POST line. And this makes verifying certificates and encryption methods even harder.
Would it make sense for a tooltip over the Submit button to show the destination of the POST? Or at least whether it's secure? How about some useful items on the right-click menu?
While I'm on the topic...When I right-click and hit View Source, why can't the browser open an editor and scroll to the line of code that I right-clicked on? I know Firefox & IE don't, maybe something else does already..
I don't care if you're using 2048-bit encryption to purchase that new GeForce - if SuperDealUpgradeStore so much as leaves the wrong port open on the firewall or uses a simple password and doesn't check logs, you're hosed.
As the saying goes: "Security is a process, NOT a product."
The auto industry went through this when they put warning bells/buzzers on their cars telling drivers/passengers that their belt was not done up. The warning was persistent and loud - and got disabled (read ignored for the lock symbol and turned off for the message) ASAP.
They (the auto industry) learned though - they put the buzzer/bell on for only a few seconds at the beginning of the trip - reminding those who cared and not pissing off the rest enough to result in turning off the warning permanently (and thereby removing the warning from others who might drive the car/run the browser)
The lesson is "If you are going to issue a warning message - do it for a few seconds and then get rid of it so the idiot driving doesn't use wire cutters to remove it altogether"
Are you listening programmers?
Been there, done that, paid for the T-shirt
and didn't get it
Interesting post, but I'm glad it wasn't designed to protect people against hostile hosts. If it was, we'd probably not have the internet as we know it today. Somebody would have raised a scare early on, and the government would have heavily regulated it.
Now, after the fact, engineers can design useful protocols to work on top of or in conjunction with the internet to help solve the problem of hostile hosts. IPsec, SSL, PGP, firewalls, ssh, and fancy switches/routers all help to protect people from abuse.
And now, we have a high degree of internet freedom. We can pretty much do what we want with our bandwidth. People will get mad and hunt you down if you crack systems, violate copyrights or send spam, but aside from that, it's pretty much free. And even with all this freedom, it just requires a little persistance to prevent your machine from getting hacked.
Social scientists are inspired by theories; scientists are humbled by facts.
Actually, it does provider security if the provider will only issue the certificate after checking your identity...
The other thing that signed certificates prevent is man in the middle attacks.
Hopefully the technological divide will dimish before a major financial catastrophe occurs
Not a chance. Until something big happens several times, there simply won't be enough of a drive to make anything better.
So many people are so content with the crap that Redmond pumps out, it's just disgusting. They're also afraid of the effort to learn anything new. Every time someone complains about popup ads, I tell them that there are other browsers they can use which will block them. Guess how many have switched! That's right, very, very few. Most people just go back to the "comfort zone".
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
No it doesn't. It underscores the need to make browsers that aren't quite so bloody stupid, and do things like always displaying the real URL (gasp!) and not allowing Javascript to open new windows without the normal user interface security features (or a big yellow border saying 'Javascript window'). In fact, it might be a good idea to always have a grey border of a few pixels between the contents of a page and the user interface widgets surrounding it.
They may have a point on the SSL certificates, but the whole PKI thing seems a complete crock anyway... Verisign, Thawte and the like are not exactly the world's most trusted institutions. Maybe in the case of banks and other high-security sites it should be possible to pick up a free CD from your local branch or from your country's financial regulator containing the public keys. Then there would need to be a simple and foolproof way to import this key into your browser.
-- Ed Avis ed@membled.com
Cuz if the guy is a slimeball who found your wallet lost on the street and decided to have some fun on you it's all to easy for him to do that. Whenever I use my credit card in person I'm never asked to prove my identity. One time awhile back a boss I had asked me to fill his truck and use his card and to call if they gave me any trouble. They swiped the card without even looking at it.
Hell, even if it's you using your own card...people are really careless and only seem to have concerns about using their card on the 'net. Too may people out there verbally broadcast their credit card info to strangers over the phone who solicit them for donations to feed the starving Africans, or hand their cards to the attendant at the full-service station when they fill their vehicles, or willingly give it to the waitress when they have lunch at Denny's, or whatever else.
I dated a diner waitress once, and know the types of losers who ended up as permanent pump jockeys from summer jobs as a teenager. I have personally witnessed those environments. In both situations many (if not most in some cases) of those employees are poorly educated, poorly paid, perennially broke, dopey chronic potheads. Also, some call centres are also pretty lax and will hire anyone who will stay long enough to learn how to use the predictive dialer system. AND WE TRUST THESE PEOPLE WITH OUR CREDIT CARDS!
Because of that I NEVER buy anything, book a room or hire a car over the phone...I go online so my credit card number is at least encrypted (and I hope that the computer jockeys are at least a bit more trustworthy than a call centre operator). I NEVER give my credit card to a waitress or a pump jockey--if I use my card at all I go to the cashier and have them swipe it electronically. Authorisation is instant and the receipt they retain doesn't show the whole number anymore (I also NEVER use the old "click-clack" impression machines either).
Sounds paranoid? Well, it's far easier to exploit those common real-world events than to set up an internet phishing expedition. C.C. fraud on the INTERNET? Even if your number was sent in the clear it's typically in transit for less than a second, and could only be aniffed out by people with access to special equipment. Sure you have to be careful about encryption and authentication but (for now) online transactions are still mostly safe. Much less bother for criminals to pursue other opportunities.
It sounds harsh, but that's basically the theory behind preventive security for your house or car.
The 128 refers to the symmetrical encryption key that's used. SSL technically is a hybrid system, it uses public key, which is RSA, for the initial handshake, but it then uses RC4, AES, 3DES, blowfish, or whatever other symmetrical algorithm, for the rest of the transmission.
Public key involves coprime numbers (and the extreme difficulty in factoring them).
Symmetrical algorithms do not; they only require a key, hence the 128 bit key. Brute forcing a 128 bit key is computationally infeasible (that's an understatement), so you're right about it being in all practice, unbreakable.
SSL's real vulnerability is the public key infrastructure and the often poor implementations of it. The main holdout however is getting your key signed by a certificate authority (verisign, thwate, etc). I don't know any details but the posts would seem to suggest that plain-text isn't checked, or at least there's no popup warning.
This answer's probably longer than you wanted, but in principle ssl is cryptographically solid (to the extent of my understanding). Implementations are the problem.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Interesting. So, you want really heavy, hardline controls on the internet - draconian regulations about who can do what, in just about every aspect of net existence. And yet...
Pro-SPEWS? Welcome to my foe-list.
You don't like people publishing a list of ISPs that harbour spammers and suggesting that it be used for email blocking.
Does this strike you as inconsistent in any way?
Real Daleks don't climb stairs - they level the building.
Fortunately, the open-source SSL systems also provide a solution to this problem.
Look here
Tells you how to install your self-signed certificate into your clients browsers.
For anyone with too many clients to do this practically... well if you have that many clients you should be making enough money to buy a certificate from a trusted authority.
"However, if the trust is misplaced (as this article suggests) then all this notification is kind of pointless."
Which is the crux of the whole issue.
Even a properly-registered, fully-valid SSL certificate only proves(to a reasonable extent) that the entity is what it claims to be. It's still up to the user to determine that said entity is trustworthy. It's that way in e-mail with PGP/GPG keys, SSL-encrypted web pages are no different.
Browsers should probably be set up to pop up a warning if plaintext is used for SSL, since it violates the very security SSL is supposed to ensure. Also, checking around for a company's reputation is a good idea. Is there a central site that keeps track of reputable dealers versus known scams?
All that said, the only reason internet transactions are any more problematic than those in person is that you don't know exactly where the person on the other end is - which is also a problem for phone payments. Certainly, identifying an encrypted credit card order, much less decrypting it, is not a task for the faint of heart; with so much network traffic, it's next to impossible to pull stuff like that unless you're specifically monitoring on one end or the other, right? Even if you do spot encrypted traffic, it might be a credit card transaction, or it might be account management of some kind, or it might just be someone connecting to a bulletin board that's set up to use SSL.
(As an aside, I suddenly have a renewed urge to get SSL working properly on my FreeBSD box, even though I don't handle anything remotely related to financial data or business secrets. Perhaps it's time to hit O'Reilly again.)
NB: YMMV. IANAL. Take the above with a grain of salt.