Slashdot Mirror
Gone Phishing?
Zastrossi writes "According to the Anti-Phishing Working Group, phishing sites--the practice of making sites that look and act like popular sites such as banks in order to steal personal information from customers--rose from 543 sites in September to 1,142 sites in October. Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion."
ING Direct's logon page has an interesting feature where it asks for an extra piece of info beyond the username and PIN such as your account's ZIP code or a piece of your SSN on each logon, with the extra question changing every time.
However, this security method has a fatal flaw... if an attacker knows the answer to any one of the questions, the attacker can just keep reloading until they get the question they want to come up and then answer it. Still, it's better than doing nothing at all.
people should watch out for sites that seem at all phishy. i hope the govt. phish out who these bastards are so they can't phish anymore.
:(
this is one phucked up crime
If anyone believes this, it justifies fairly extraordinary investment to combat it. When you are talking billions then enormous infrastructure projects are possible. For instance, imagine the kind of systematic surveillance activity that could be mounted on the internet with a multi-billion dollar budget.
Tired of Political Trolls? Opt Out!
1. Make certain the site name is not all numeric.
2. Make certain it is spelled correctly.
3. If they write to you unsolicited, just type the website in directly that you normally use for the service and you can be certain where you are going.
I can think of more things to tell her, but the more I say the less I fear she will remember. So I boiled it down to the above list.
So far so good....
She is as clueless as anyone on the net, so I figure if it works for her that's a good litmus test....
is that banks themselves are guilty of perpetuating this stuff.
got an email from Network Solutions the other day, complete with HTML graphics, etc. It said, Dear Customer, we periodically ask our customers to update their whois information....click here to access your account information....
then it said failure to keep your account info up to date could result in the suspension of your domain. turned out this was a legitimate email from NetSol, but it had all the signs of a phish - addressing me with no indication they knew who I was, a la "dear [fill in bank or company here] valued customer"; it urged me to click on a link - which by the way was a dotted IP address; and it threatened negative consequences unless I acted quickly.
Same thing happened to me with Citibank. I am a citibank customer, and the other day I received an email urging me to transfer my balances from other cards, blah, blah. Anyhow, it had all the right logos, and urged me to click on a link. When I did (with some trepidation), I was brought to a site called "accountonline.com", which as it happens, is in fact owned by Citibank.com. Again, turns out this was a legit email from Citibank (or its marketing dept.)
Yes, it is sad that we have gotten to the point where companies cannot use email as a legitimate means of marketing and communications with thier customers (and prospective customers), but banks and other major companies need to heed their own advice, and as far as I'm concerned, as long as these companies keep doing that sort of thing, they have only themselves to blame when their customers expect this sort of communication.
...because you never know who you're dealing with.
Phishing is a big problem for those who may be too old or too busy to remember what their bank's URL should be. with URL spoofing in IE, it's an even bigger problem.
I think the most important thing is education. Anti-phishing technology will only be a stop gap measure. Phishing techniques will just become more advanced. I think an agressive advertising campaign, including information when you sign up for a bank account, information when you log on to your account or receive your bill will also be helpful. the previous author mentioning the example of additional login info is correct, the phisher will just reload until the information requested is available to them.
Banks, Ebay, PayPal, and all the other popular phish targets should have rewards programs for customers who aren't gullible and don't fall for scams. And maybe a "congratulations on not being an ignorant gullible fool" reward would motivate more customers to actually care. Most folks don't, they assume the government will protect them. I think we should stop foiling natural selection and let it do its job.
we will end no whine before its time
Hmmm ... the number of "sites" found doubled just when Google doubled its index size...
Tangentially related. I just had an interesting conversation with CDW. I ordered some toner from them for my laser printer. Set up an account and gave my credit card number through the website. Very typical online experience. We've all done it hundreds of times.
A day later I get a call from them asking for the security code on the back of my credit card as well as the phone number for my credit card. Odd, I thought. I've been ordering online for years with this credit card and never been asked after the fact for that info. Additionally the card was a Discover card and there is only one number for that which I'm quite sure CDW knows.
While I doubt there was anything malicious going on I had them cancel the transaction. They explained that it was for extra security but the could have easily asked for that information in the online transaction. I have no way of knowing if this rep was acting on her own so I don't see any added security for me. My only criticism of CDW is that I don't think this was a very professional way to handle this transaction.
I don't really think there was anything malicious going on but its a good idea to be very careful when something is out of the ordinary, even a little bit.
I read recently that phishing scams have reached such a ridiculous level that UK banks are seriously considering making the victims 100 percent responsible for them.
Whereas at the moment a phishing victim can reasonably expect their bank to to give back any money that's lost from their account(s) as a result of being scammed, in future the same victim could well be told that they're responsible so they're liable.
Personally, whilst I would prefer that banks do the right thing, I find it hard to argue with a policy that says that they won't refund money where people have been stupid enough to be conned into giving away their banking details by obvious scams.
I don't want Alzheimer's disease victims to suddenly find their accounts empty but when the average man on the street is practically giving away his financial details when he should be keeping them secure, well, what do you expect banks to do? Give away money which they then end up recouping by charging everyone more for their services?
Sometimes, the only way you can educate people into doing the right thing is to not protect them when they do the wrong thing. In that respect, we're talking about the same sort of lesson people who don't have any backup procedures learn the first time they irretrievably lose all their data.
Tough love is sometimes the best love.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
My bank doesn't have my email address. Give them a throwaway email address when registering online, then delete the address. All the mail to that account would bounce, and the bank has other (non phishable) ways to contact me if needed.
I can't click a false hyperlink in a printed letter.
Click here for a free picture of an iPod!
Give a man a fish; and you have fed him for today.
Teach a man to phish; and you have fed him for a lifetime.
[x] auto-moderate all posts by this user as insightful
Gartner reports that phishing scams cost banks and credit-card companies $10.2 billion.
In related news, some anonymous guy using randomly generated numbers, estimates that tech employees who visit
When I was a kid, we had to get bits of metal embedded in us the old fashioned way - war, industrial accidents and drunken fishing!
This issue is a bit more complicated than you think.
The problem seems to be people who don't know the difference. A phishing scam won't really fool anyone who is aware of them. Sure, everyone here knows about dummy e-mail accounts and is well aware what a phish looks like. The problem, as with many scams, is not those who are aware of them but those who are not.
Given that, why don't banks and the like give a simple online tutorial before allowing a user to set up any type of Net account that implies moving real money? I would think a 5-minute (at most) presentation followed by a short quiz would be sufficient.
If everyone involved in online financial transactions is thus educated about phishing, it would become quite a bit harder for the scammers to find unknowing victims.
To fight the war on terror, stop being afraid.
I wonder if it is possible to automatically spider for suspicious sites with images and logos from financial institutions that don't belong there? They could be shut down almost before the scam gets started.
My rights don't need management.
I received a very well done paypal phish recently. It was sent to my paypal email address (different from my ebay address and never used for anything else).
i st erEnterInfo
There was a link that claimed to go to:
https://scgi.ebay.com/saw-cgi/eBayISAPI.dll?Reg
But mousing over revealed that it actually went to:
http://signin.ebay.com-ogi-bin.tk/_eBaydll.php
Note the com-ogi-bin.tk rather than com/cgi-bin