Slashdot Mirror
Gone Phishing?
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.
However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
This can only continue to rise. I'd imagine this is a good way to make money that won't be stopping soon. Consumer ignorance is high, and this is just another way of exploiting it. Make sure to educate your friends and families and check out the Anti-Phishing Working Group.
people should watch out for sites that seem at all phishy. i hope the govt. phish out who these bastards are so they can't phish anymore.
:(
this is one phucked up crime
If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.
Tired of Political Trolls? Opt Out!
1. Make certain the site name is not all numeric.
2. Make certain it is spelled correctly.
3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.
I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.
So far so good....
She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
10 billions, since when banks give money to people when they do a mistake?
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...because you never know who you're dealing with.
Well, if the increase is so much after so little time, these sites must be successful. My father almost got taken by one before, but luckily the credit card company called him to verify the charge. The way I see it, the only way to curb the problem of these sites is to educate as many people as possible in what to look for and just how to be a little more paranoid. Trying to defeat the people making them seems like a definate waste of time, and no matter what kind of verification process companies come up with, user (stupidity | ignorance) will surely foil it. Perhaps we should fashion a few tin-foil hats this christmas ;)
Try actually thinking for yourself. It's quite refreshing.
Phishing is a big problem for those who may be too old or too busy to remember what their bank's URL should be. with URL spoofing in IE, it's an even bigger problem.
I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.
Here is a link with 6 steps to prevent phishing scams from working. Also discusses the tie in with identity theft in general.
0 40519/NYW07319052004-1.html
:)
http://sev.prnewswire.com/computer-electronics/20
Maybe I'll add this link to my Christmas cards this year.
Banks, Ebay, PayPal, and all the other popular phish targets should have rewards programs for customers who aren't gullible and don't fall for scams. And maybe a "congratulations on not being an ignorant gullible fool" reward would motivate more customers to actually care. Most folks don't, they assume the government will protect them. I think we should stop foiling natural selection and let it do its job.
we will end no whine before its time
Hmmm ... the number of "sites" found doubled just when Google doubled its index size...
"Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.""
Is these losses determined by the same means used by software companies, and the RIAA/MPAA?
Tangentially related. I just had an interesting conversation with CDW. I ordered some toner from them for my laser printer. Set up an account and gave my credit card number through the website. Very typical online experience. We've all done it hundreds of times.
A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.
While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.
I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.
I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.
Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.
Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.
I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?
Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.
Tough love is sometimes the best love.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
http://www.pbs.org/wgbh/pages/frontline/shows/cred it/
Read the above and realize that the consumers do indeed pay for it.
My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.
I can't click a false hyperlink in a printed letter.
Click here for a free picture of an iPod!
Did the industry really loose 10.2 billion dollars to scammers or did this number come from the same process the RIAA and the BSA used to estimate loss to piracy?
Personally, I think something is seriously wrong if phishing alone managed to net scammers $10.2 billion. Maybe if it was world wide consumer finance fraud combined it would be more believeable.
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
That link seems to be bad.
I feel saddened that there are whole organizations that exist to rally against my favorite rock band... Wait a minute.
Why not develop a generic version of the new Lycos screensaver that does a DoS-attack on SPAM-sites, Phishing-sites, Nazi-pages etc., while the user is not using his PC...?
The only way for them to defend themselves would be to take legal actions (=go into public), as it might be the case with the sites "attacked" by the Lycos screensaver...
____
afghanchat.com - Yes, Afghanista
There's actually only 17 phishing sites, but they are hosted on REALLY FAST computers.
You need to remember though, most people on slashdot aren't getting fooled by phishes in the first place, so these techniques won't really help. The average Joe isn't going to make a throwaway email address for his bank account. Heck, the average Joe probably doesn't even know about phishing attacks, so he can't do anything to defend against them. Also, I can see alot of average individuals being reluctant to delete the email account, in fear that the bank won't be able to get in touch with them.
This problem would go away quickly if people signed their E-mail. All the infrastructure is there, companies just have to use it and mail user agents have to deal with it a bit more intelligently.
those bastards... stole my neopets account...
Give a man a fish; and you have fed him for today.
Teach a man to phish; and you have fed him for a lifetime.
[x] auto-moderate all posts by this user as insightful
Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.
In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit
Sick 'em all with trademark suits.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Here in Denmark, I have yet to see a bank that sends out email at all.
I am doing online banking with the two biggest banks "Nordea" and "Danske Bank", and none of them send out email. They only communicate electronically with the costumer through the online bank, so you need to log in to your home banking system to communicate with the bank.
If this was the case on a global scale and people were aware of it, these scam mails might be a smaller problem.
They are the ones with the inside information on how much is lost and how many accounts are compromised. It's up to THEM to provide a better security model or to cancel Internet bank access until they come up with something better.
When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!
This issue is a bit more complicated than you think.
Too bad, but I cannot expect my share of these attractive $10.2 billion.
The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.
Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.
If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.
To fight the war on terror, stop being afraid.
So even if you do everything right, you don't get caught by a phish, you'll still be paying. A portion of losses caused by others getting duped will be added to your fees and/or reduce value you recieve. The companies will pass the cost along to everybody & protect their bottom line.
"Glory is fleeting, but obscurity is forever." --Napoleon Bonaparte
Wasn't there an IE exploit where you could make one URL show up like another URL in the address bar?
Some of these attacks have gotten quite good. I recently got an email from "paypal" that seemed quite convincing...except that I don't have a pay pal account. The fact is that some of these attacks are getting quite sophisticated, to the point that someone who is even on the lookout for phising scams can be tricked in a moment of slight distraction, or even be impressed by the amount of work that went into this.
Famous Last Words: "hmm...wikipedia says it's edible"
The rise of phishing just shows how broken the current internet and e-mail system is. In a age in which worms and scammers can gather address books, fake headers, copy websites of legitimate businesses, hijack browsers, create zombies, and log keystrokes, no e-mail (or even web page) can be presumed to be legitimate no matter who it comes from or how you got it.
/. denizens are opposed to draconian tracking and regulation of net activities, but that is what we will get if we don't craft non-invasive, non-governmental solutions to phishing and related scams. How long will it take before the government regulates the net to make it "safe" for online grandmothers and their retirement savings?
This problem saddens me greatly because it ruins the promise of global communications. Rather than a utopian information paradise for everyone, we seem to allowing the creation of a back alley in which few dare to tread.
If e-mail and the internet are ever to become truly useful, they must become simply trustworthy (as in simple to trust). Consumers (i.e. non-geeks) must be able to trust incoming emails or email is useless. Consumers must be able to trust webpages and their computers or these tools become useless.
I know that many
Two wrongs don't make a right, but three lefts do.
Don't get me wrong, I believe this to be a serious issue. BUT, every time there is a problem like this, the price tag to those unfortunate scammed or wormed or virii'd is an amount of money that seems a little rediculous. Seriously, 10.2 billion? 10.2 billion what?
Why don't any banks have pki as an option for authentication? You have a password and a private key. I know some people will say it is too complicated, but why not have it as an option for those willing to take the extra precautions?
Nah, just part of /.'s web-bot foiler. Take out the space in "20040519" and it works fine.
Why do I M2 everything negatively?
We have one time pads for our banks (at least my bank has them) and you have to verify your transactions with another code.
Back in the mid 90's (hey statute of limitations, juvi back then), I used to go dumpster diving. I remember dumpster diving at Budget Rental car. They would shred most of their credit card reciepts, but a couple didn't make it to the shredder. I never did anything with the reciepts, but it was easy to get them.
>Seriously, 10.2 billion? 10.2 billion what?
lira, so its actually not that big a deal.
Phishing, the 21st century's stupidity tax.
'Be always mindful, even when ditch-digging.' --D. T. Suzuki
I received a paypal phishing scheme email just yesterday. I have paypal but not on that email account. Here is what the url looked like:
m ?= https://www.paypal.com/cgi-bin/us/eng/cmd=login&ac cess979879879879879@#$@*(*87987987234242@#$@$@$@$@ $@$9
http://www.cisec.or.kr/~sr5141/paypal/update.ht
(Have a ball with the address if you want.)
If I was using IE then it would have spoofed the url as well.
I halfheartedly filled in some obscene words to send, however so much data was asked for in particular ways that I never could validate the screen for sending without carefully crafting a reply ( I was cutting and pasting) so I aborted instead.
And in the end, the love you take is equal to the love you make
so lucrative.
If only Swami didn't want the hassle so much $ brings he'd be offshore and phishing tomorrow.
Hell, as it is, he can't manage the checking account, never mind $10^7!
Now I'm the grandest Tiger in the Jungle!
Pesos.
Laws are for people with no friends.
How can I be sure that this [slashdoter.org] is the real slashdot? Hmmm... and why did it suddenly require my credit card for verification this time? Gosh could someone email me and let me know if all is on the up and up here.
Basicly, the bank would give each netbank customer a physical device.
This device would be specific to the customer and would contain a special hash embedded in it. Each time you log in to the netbank, it gives you a randomly generated hash (something using the current date and time as part of the randomiszation process is good). Then, you input this hash into the device and it combines it with the stored hash and prints the result. The result is then input back to the netbank along with the other banking details (and compared to a similar hash calculated securely by the bank system based on the same hash as is stored in your device)
That way, even if a hacker can get the hash you input into the banking, it wont work since the next time you access the netbank, it gives you a different hash to feed into your device.
Also, just to be even more secure, the bank will record the IP address of the computer talking to it next to the hash (so when you send back the hash from your device, if the IP address isnt the one that origonally connected to the bank, it will reject it)
I wonder if it is possible to automatically spider for suspicious sites with images and logos from financial institutions that don't belong there? They could be shut down almost before the scam gets started.
My rights don't need management.
...wouldn't their lapdogs in government be doing something about this?
I wonder if $10.2 billion represents a "real" number, as in $10.2 billion dollars total actual sucked out of bank accounts, or if its one of those squishy numbers that represents a bunch of soft costs like customer service time and other "clean up" costs (you know, like the RIAA "lost sales" number or "virus cleanup" costs).
While I don't doubt that fraud runs rampant on the Internet, I also have a hard time believing that a business sector is actually losing billions of dollars without either making it up by charging everyone fees, or having the government bail them out in some way or other.
He was there for about 40 false responses, now he's not there. Is he gone or did he just block me.
The chance of successfully fooling the user is increased if a script can alter the browser interface. For instance, a script might hide the status bar and then generate its own status bar with a fake lock icon. Users can prevent this by adjusting their browser preferences to prevent unauthorized interface alterations.
Users of the Mozilla Firefox browser can secure their setup with the following steps:
U r a dumass. post the freaking link. Dont cut n paste. Slashdot engine fucks it up
You don't need anything after a question mark i.e.
m ?
http://www.cisec.or.kr/~sr5141/paypal/update.ht
But it looks like he's already gone.
Damn,
Even with an equal share for each site...that is almost 9 million dollars per site. If I got in last year, I would have been almost 20 million richer.
Ah, if only I knew and got into phishing last year.
10 billion dollars? I think people should have to have licenses to own and operate personal computers. Too many stupid people running around getting into trouble due to lack of knowledge.
Here's where email security would come in real handy. If we could convince the banks to digitally sign the email they send us, and for them to tell their customers that if it's not digitally signed by them, then it isn't from them, then there wouldn't be so many problems. On the other hand I would never click on a link in an email to update my account details. I can't believe they aren't holding the customers liable. They hold them liable if they tell people their pin code. This is pretty much the same thing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
At the moment, it looks like a single guy is poking at our servers, as all of the phishing incidents we've had thus far include an Ebay scam and a Suntrust scam. Given how the attaker works (changes the contact email to a yahoo account, yes, we've sent Yahoo an abuse notice to get it shut down) I'd guess he's obtaining the users passwords, not getting any actual control over our server.
Anyhow, the big thing is that hosting companies do actually care about this stuff. I'm sure that ISP's do too, but the only ISP's I've ever worked for, I did so in a strictly cube-farm-slave capacity, so I can't say. If you find this happening, don't just send them bad data, report it to the hosting company or ISP. Not to sound idealistic on Slashdot or anything, but it can actually make a bit of a difference.
-Rob
The first article link makes a very good point.
If people used something like the RSA encryption key fob with the password that changes every 30 seconds, then this scam technique simply would not work. For those of you who do not know what a key fob is, this is a little wireless device, small enought to fit on your key chain. Every 30 seconds or so, a new password is transmitted to this device. You combine this password with an existing, static password and use it along with your user id to log onto an account.
A simple, static userid/password is not very secure, because it never changes. Honestly, how many people actually change their passwords that often? Many people have more userid/password combinations than they can keep track of. Given the number of passwords people have to manage, you had better believe that they are not going to change them. If a web site forces customers to change their passwords very often, I'll bet most people will take their business elsewhere.
The simple userid/password method is obsolete, and should be phased out.
I believe most websites need to get out of the security business. We need an organization that is to security what Visa is to credit card transactions. For example, envision your bank's login page displaying various security logos for the various 2 phase security systems it supports. If you see the logo for "KeyStar Security Network", and you have a KeyStar fob, then you know that you can use that particular fob to help access that site. If you see the logo for "StickyFingers Security", then you know you can use your StickyFingers fingerprint device to help access that site.
If the computer got pwned, I bet they could make a few changes to the host file. Seems like a better way to do it. Sneakier anyways.
It's easier to fight for one's principles than to live up to them.
It seems like it should be easy to follow
the trail to catch these guys. What's the
typical way a perp sets up a fake site?
I assume they hijack a web site, but I have
seen some where they have a TLD.org url.
Can't they find those who registered the
domain name? Why is it so impossible to
catch these people?
I got this email today in fact, and it gave me quite a scare. In fact, I had to immediately cahnge my password on ebay because I got past their logon screen before realizing what was going on. (Yeah I know, after going back and looking at it it reads "Dear ebay" at the top... I missed that the first time through though.) This is the scariest one I've ever seen (entire email below):
n &ssPageName=h:h:sin:USg i/eBayISAPI.dllSignIn-ssPageName-hhsin.php
Dear eBay,
We regret to inform you that your eBay account has been suspended due to the violation of our site policy below:
False or missing contact information - Falsifying or omitting your name, address, and/or telephone number (including use of fax machines pager numbers, modems or disconnected numbers).
Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This prohibition includes the registering of a new account.
Please note that any seller fees due to eBay will immediately become due and payable.
eBay will charge any amounts you have not previously disputed to the billing method currently on file.
If you would like your account to be considered for reinstatement, please click on the link below, and provide us additional information.
>> link text: http://signin.ebay.com/aw-cgi/eBayISAPI.dll?SignI
>> actual link: http://24.64.97.177/.cgi-bin/signin.ebay.com/aw-c
Regards,
SafeHarbor Department
eBay Inc.
This has been done before.
So you set up a bunch of systems that capture tons of spam emails. Catchall's on various domain names, publish the domain names in public along with email addresses (websites, newsgroups, etc).
After your stupid phishing scams hit, eBay, Suntrust, Citibank, Paypal and BOA start hitting them with a few marked accounts. These marked accounts are setup with the purpose of dropping the information to the phishing scam people.
From that point, the phishing scammers will try to use this information for their benefit. At that point, it should be easier to build a path back to them.
That would require effort, it's easier for the banks to tack another dollar onto ATM fees and write off the losses. Has anyone checked to see if banks are actually writing off these losses and reporting them to shareholders?
Just like spam emails, the money goes somewhere. Just follow the money.
Southeastern Virginia REPRESENT!
I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).
i st erEnterInfo
There was a link that claimed to go to:
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Reg
But mousing over revealed that it actually went to:
http://signin.ebay.com-ogi-bin.tk/_eBaydll.php
Note the com-ogi-bin.tk rather than com/cgi-bin
Here is the paypal email. Had to put it in text mode as lameness filter encountered.
What was funny was that the email used the actual paypal site for the logo and blue bars to save bandwidth.
Dear slashdot@hotmail.com
It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records in maximum 24 hours. Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.
Please click here to update your billing records.
Thanks for using PayPal!
This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to https://www.paypal.com/PREFS-NOTI and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed.
If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail. Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mail from Providian, go to http://removeme.providian.com/.
Copyright© 2004 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.
Thanks for using PayPal! This PayPal notification was sent to your mailbox. Your PayPal account is set up to receive the PayPal Periodical newsletter and product updates when you create your account. To modify your notification preferences and unsubscribe, go to and log in to your account. Changes to your preferences may take several days to be reflected in our mailings. Replies to this email will not be processed. If you previously asked to be excluded from Providian product offerings and solicitations, they apologize for this e-mail. Every effort was made to ensure that you were excluded from this e-mail. If you do not wish to receive promotional e-mail from Providian, go to . Copyright© 2004 PayPal Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners.
And in the end, the love you take is equal to the love you make
I work for the Credit Card division of one of the largest banks/financial services companies in the United States. We have a very large online presence and have been targeted extensively by phishers. It has become a very serious problem. Not only does it cause direct financial loss when accounts are compromised, but we have delayed several new features due to phishing risk. We are in fact talking about a LOT of money. It is one of the top couple of issues for the entire corporation.
Episode 63 of Binary Revolution radio discusses phishing from how it works, to who does it and why to how and why it is on the rise lately.
http://www.binrev.com/radio/archive.html
--- The revolution will be digitized! - http://www.binrev.com/ ---
Most phishing sites link you into your bank's website at some point or include graphics directly from them. Banks should carefully monitor their image referrers and investigate when they all of the sudden have a high number from http://citibank.com@1.2.3.4/.
Another thing to do is to hack the phishing sites. Phishers are typically terrible coders. This means that many standard web attacks can be used to divulge information about them. Even if the site is hosted in a remote nation, they typically forward information elsewhere. Typically they rely on javascript to check for valid input. Disabling javascript and adding some extra ' and " can sometimes give you a PHP error which will also dump the host name of their mysql server, sometimes it's hosted on a US site. Another simple attack is to save the form, edit the form target to be absolute, and then experiment with the hidden values in the data. Typically they do not check to make sure id fields are numeric before creating sql strings out of them. Adding a letter to a numeric id field or using -1 instead can sometimes cause a phishing site to dump useful debug information.
Typically if one of these phishing emails slips by spamassassin I'll try to hack it and forward information to the banks and ISPs involved. I have yet to receive a response, so I assume they either don't care or are way ahead of me. I would think if they were ahead of me they would take less than 10 hours to shut the site down however.
I didn't know windows had a hosts file, I thought that was a unix thing. We'll maybe it's true when people say you learn something new every day!
So, I'll admit it . . . I'm a clueless newbie.
Getting hold of someone's pin may not be that difficult, but the pin is no use without the card.
Cloning a smartcard is orders of magnitude harder than cloning a mag stripe. That's not to say that it cant be done, but it presently would require hundreds of thousands of dollars of equipment... unless of course there is some stupid vulnerability in this particular chip design.
From the sketchy detials i've seen, it seems like your PIN gets fed into your CHIP and then your chip releases it's account information along with some sort of code to verify the transaction.
Your chip will never release the private keys that it uses to create said verification code, therefore even if you could created a new card, you'd need to manually extract the keys using something like a tunnelling electron microscope.
For petty thieves the only solution is to steal the actual card, but that raises the stakes and i'm not sure that many credit card thieves would go there.
Geez, I remember the good ol days (70's) when every computer geek was a long bearded freak...
now we cant get a damn Phish joke from the 401k/latte crew.
Yuppie scum.
(Im referring to both new era geeks and Phish fans.)
I can't think of a reason the past few months specifically that would make the number of sites doubled...
Just because this research firm *discovered* more sites, doesn't mean the actual number of such sites in existence increased. Did they even check to see how long these new sites they've catalogued have been around? I suspect the number of sites for phishing was even higher than the current October count of 1,142 way back in September... possibly significantly so.
As long as there are people stupid enough to fall for this kind of stuff, there will be people phishing. My friends ask me "Bank of so and so emailed me, but I dont' have an account there". The only thing you can do is educate your circle of friends and family. Look at how many ignorant people are out there. There are many friends and family that I scold when they send me stuff like the Mrs. Fields cookie recipe crap or send this email and Bill Gates will donate money to something. Whenever I get these I send back a link CCing all and direct them to snopes or truth or fiction (.com)and make them look like an idiot. The internet is a powerful thing and you have too many ignorant people using it.....which means people will get preyed upon. Educate one group at a time.......that is all anyone can do.
I've received spoofed emails from paypal claiming that fraudulent activity was taking place and that I needed to login to verify my information. I'm starting to wonder if some of this phishing is being done by ex-employees. It looked very real.
r un
(http://213.98.120.25/paypal/index.htm)
/ policy_privacy-outsi
Dear valued *PayPal^® *member: *PayPal^® * is committed to maintaining a safe environment for its community of buyers and sellers. To protect the security of your account, PayPal employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal system for unusual activity.
Recently, our Account Review Team identified some unusual activity in your account. In accordance with PayPal's User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. This is a fraud prevention measure meant to ensure that your account is not compromised.
In order to secure your account and quickly restore full access, we may require some specific information from you for the following reason:
We would like to ensure that your account was not accessed by an unauthorized third party. Because protecting the security of your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection.
Case ID Number: PP-040-187-541
We encourage you to log in and restore full access as soon as possible. Should access to your account remain limited for an extended period of time, it may result in further limitations on the use of your account.
However, failure to restore your records will result in account suspension. Please update your records on or before *November 28, 2004*.
Once you have updated your account records, your *PayPal* session will not be interrupted and will continue as normal.
To update your * Paypal* records click on the following link: https://www.paypal.com/cgi-bin/webscr?cmd=_login-
Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.
Sincerely, *PayPal^® * Account Review Department
PayPal Email ID PP522
Accounts Management As outlined in our User Agreement, *PayPal* will periodically send you information about site changes and enhancements.
Visit our Privacy Policy and User Agreement if you have any questions. http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua
If they spent just 10% of that on paying professional hit men to dispose of the problem, we would all go home happy!
Sent from my ASR33 using ASCII
It's a unix thing that found its way into Windows:
C:\WINDOWS\system32\drivers\etc\hosts
Check out PhishBase for a deeper peek. Uh, hey? What am I thinking?
I personally have a bet that, if FireFox gets popular, hackers will start using its open source nature to phish Firefox itself.
Ie, they'll hand out fake Firefox download links in e-mails or HOST file hack mozilla.org. Then, when you download, you get Firefox - plus add-on code that sniffs your keystrokes or credit card numbers.
Mind you, this has been my big problem with using Firefox from the beginning: the distribution might contain that kind of thing anyway. At least MS, with their existing millions, are unlikely to be interested in my card number.
Max out your cards now before they do it for you!
Vote Quimby!
No wonder Brazil's superavit has grown so much over the last year... hmmm...
Software can be likely be made more secure if the effort was made. Consider the emphasis on features for commercial software, and the dominance of a certain OS platform. Demand from users for more secure software can help. (This is not to imply that users are to blame; many of them are simply not software experts.)
Absolutely! Secure software is a prerequisite for a usable internet. But it will take more than that. The internet will only become useful for everyday activities when consumers can take an e-mail at face value. I see the goal as being able to trust any email from a bank, VISA, eBay, etc. That means some form of secure identities so that the software can verify that an email that looks trustworthy (i.e. has the visual appearance of being from your bank) is trustworthy. Such a system would have to distinguish VISA from V1SA, V!SA, VlSA, etc.
Two wrongs don't make a right, but three lefts do.
Why are there so many otherwise intelligent people that think the government can solve every problem? Most of the time government creates more problems than it solves.
I agree with you 100% that government is not a good solution. The problem is that government will think that government is a good solution unless private efforts stop the problem. If the internet cannot self-regulate, end phishing, prevent scammers etc., then government will step in.
There was a time when multimillion dollar deals were sealed by a word of truth and a handshake and a man's word was his bond.
I think this was true because there was a time when reputation meant something. Social and economic forces made people both more trustworthy and more able to trust others. Maybe the internet needs a reputation system.
On the 'net, as in most of our society, unfortunately it is increasingly a "buyer beware" world
Sad, but true. This only furthers the cause of laws and lawyers. The more problems buyers have, the more they will resort to legal contracts and governmental intervention.
Two wrongs don't make a right, but three lefts do.
It always amazes me that the credit card companies have somehow tricked the public into believing that they are the ones who suffer from fraud. This is not the case most of the time. It's the merchants who are charged back for all fraudulent purchases, plus a huge chargeback fee. Because of the chargeback fee, banks actually *make* money on most fraudulent purchases!!!
I too have been getting quite a few more of these lately, but there is a pretty easy way to combat them:
If you recieve an email about company bla bla bla, needing bla bla bla, open your brower and :::type::: the known, valid address in and see if they mention it. If you're still curious...call.
It's really that simple folks.
-Chris
--an unbreakable toy is useful for breaking other toys--
therefore you have to get a new account if you fall for a phishing letter.
That is the only explanation I received and forced to terminate the current account, and start a new account after I called Citibank, and told them that I might have fallen for a phishing letter, where I entered only my account name and password, after receiving an email on my work address. A couple of hours after the phishing incident I changed my citibank login name and password, and then called Citibank, but that was not enough not to go through the hassle of getting a new account.
Isn't that an oxymoron?
While I make it a practice to turn every one of their graphs right side up (from their upside-down fud positions), and generally translate every one of their remarks, analysis, and commentary into its total opposite to understand what the results of their research really says, the following statement cannot go unchallenged:
Uhhh, sorry, no. This is where the problem is. Banks and credit-card companies (banks & S&Ls) get a 100% write-off in the US for card fraud, and other fraud in the US. It is the taxpayer that gets stuck with 100% of the bill. From the way they account for the fraud, they are actually making money on it, if you understand the system. They get far greater than a 100% write-off because of the way they play the interest game, and other methods they use to inflate the fraud numbers. They don't lose a penny, they actually profit from the fraud, and the taxpayer gets slammed.
One of the bullets I've posted here on slashdot before related to this issue and the broader issue of identity theft is to pull the 100% deductibility cover for the banks, and over a four or five year period, reduce it about 15% a year, until you reduce what's left on the fourth or fifth year, ie: 1st year fraud, 85% deductible, 2nd year, 70%, 3rd year, 55%, 4th year 40%, 5th and final year, 0% deductible.
Holding the banks financially responsible, and legislating away the possibility of passing the losses off to customers unless they are negligent (phishing wouldn't be classified as negligent unless they provided a long list of methods to prevent or reduce the possibility including their sites being compatible with a minimum of two additional non-ms browsers in addition to IE.) is the only way for the out of control identity theft and bank/card fraud to decrease, putting less of a burden on taxpayers, and saving individuals from the devastating after-effects of identity fraud.
Another of my ideas would be to make it mandatory for the banks and local/state/federal law enforcement to investigate and prosecute identity theft/card fraud. A simple way to do this (besides additional enabling legislation) would be to make any identity theft/card fraud a presumption of $10,000 or $15,000 in the amount of the fraud, even if the fraud was actually less. This would be a good idea for identity theft, as this is very difficult to pin down for actual financial losses to an individual, but the costs of dealing with this on an ongoing basis is both high, and difficult to document. Make it a presumption of a base line amount of fraud, and make it high enough where it triggers higher penalties based on amount of fraud, and triggers action on behalf of law enforcement and courts.
Identity theft is no minor matter. It may seem like it's not a big deal, until it happens to you. But when it does happen to you or a loved one, it may take years to get over it, or you may never get over it. I've been dealing with it for over 15 years, and I have relatives that have been dealing with it for more than 10 years. And I've been wearing a tin-foil hat for the last 20 years.
I wonder if we could submit the emails/info to any justice department? Just a thought...why is that department keeps focusing on $$$(MPAA) and not the real threat?
Is it that simple?
"You lied to me! There is a Swansea!"
I suggested it to at least one bank, but they didn't seem to give a rat's ass about the idea. Perhaps they get too much money back from their insurers?
Free Software: Like love, it grows best when given away.
I know of two mortgage lenders who have had a form letter spoofed. About 500 customers called an 800 and left their account number and SSN on a voice mail that claimed it was an ID theft voice mail line. They called because the letter said that their account details were stolen and they intend to help the customer even if it means deferring one mortgage payment by placing it on the end of the 30 year loan. Around the holidays default is high and what customer wouldn't want to get one payment deferred and have a bank help them get their personal details sorted? But, when the customers called and gave their information, they found themselves with a mortgage payment and lots of other troubles. It is real hard to be safe, but if you're patient and you have some common sense you may be safer.
Combine these attacks with cross-site scripting and you can actually be served with a malicious page from the real bank's own servers! These days education is often not enough - attackers have gone from simply altering host files to actually hooking in to browsers to redirect all requests to banking sites. Even two factor authentication will not prevent a man-in-the-middle attack in this situation.
Just say no to HTML email people!
That will stop 'standard' HTML phishers cold!
It may 'eliminate' phishing as there is no HTML to hide the bogus URL behind the onscreen 'good' one.
> Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.
Really? I don't believe it, pardon the flock me. If it really cost them so much, something would be done about it. Like, hunt them down? This is BS, I don't believe it's costing them that much. Not that phishing (what a stupid term!) is any good, but don't lie to us - that's what phishers do! Of course, this is probably some figure thrown in by some "reporter" that just added together all the numbers he/she could find on CC fraud and the like. Booooo.
Must-not-watch TV!