Slashdot Mirror
Dealing with Phishing
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).
The only thing an attacker can't simulate is an interface he can't predict.
This will be the key when designing sites in the future.
I can agree that while something like this could help those who are not knowledgable about such things in the digital world, I wonder if perhaps we should be taking steps back to make sure people actually stay informed of such dangers.
For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors", since logically only "female connectors" should work anyway. Now its no real sweat off my back, but it made me think where is the line between common sense and ignorance?
Looking through the PDF linked, I see that the plugin uses some visual hashes as browser backgrounds in trusted situations, but I wonder if there is an anti-phishing extension that would alter the color of the main background of the browser chrome for possible phishing sites. For example, a light-green would be trusted, but variations through a fire-engine red would indicate a possible phishing attempt.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
So this may help one realized that they are not on the actual Paypal/Citibank/Ebay site, and they can leave before they enter their personal information. But many phishing sites have already done their damage by that time, via a drive-by-download; install all forms of malware and spyware in just a few seconds.
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!
Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.
The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?
Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.
"I've spent my whole life figuring out crazy ways to do things. It'll work." -- Montgomery Scott, "Relics"
Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.
Is google getting worse or are they getting better?
While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.
The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
It seems obvious from this article that teaching people about computer scams and making them aware of tricks such as phishing is the only way to foil these types of attacks. The phishing sites in the study didn't even use technological foolery, yet they still managed to fool most of the users. This shows that no amount of advanced anti-phishing technology in the browser will help more than simple education and very obvious cues that a site could be faked. Popups and dialog boxes don't work because in modern computing they have become somewhat of a false alarm - a dialog box warns you of something and you close it immediately because it is irrelevant. The only way to really utilize the browser's anti-phishing technology is to have a very visible notice that a site could be faked, such as putting a big notice right in front of the page, etc. Fundamentally, phishing is a form of social engineering combined with technological tricks, and the social aspect of the problem must be approached to help solve the problem.
The thought that an average user will personalize their web interface like they personalize their celll phone doesn't fly with me. If that were true, we would see copies of Tweak UI on a lot more wintel boxes. Everyday people would be replacing the explorer shell with LightStep. I don't see that happening. About the most personalization I have seen is people putting up a picture of their girlfriend or baby up as desktop wallpaper. Geeks use custom tools, but most geeks are savvy enough about phishing to not fall for it.
So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.
For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.
In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.
If we are, why are we not hearing about it?
I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.
Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?
??
- Zav - Imagine a Beowulf cluster of insensitive clods...
If the idea is to skin a user's page on a given web site where they might be phished (like a banking web site), then it won't really help, because the proper skin can't be applied until after a user has logged in, and by then it's already too late! I suppose it might be possible to store that in a cookie, but that would assume that the user never connects from a "fresh" computer that hasn't been used with the site before. And then there are the redirection attacks which make use of a bug in the web site itself to make the phishing site look more legit.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You have read this comment 42 times, therefore it is trustworthy. Please reply with your social security number and mother's maiden name.
I'm not sure that visit counts are very useful, as there is only a narrow window between the very beginning, where it is useless because it is basically 0, and where it becomes useless because it's just a big, meaningless number. Will you notice if your visit count goes from 123 straight to 125? Will you even notice if it goes from 124 to 543?
Of course you want to say yes, because it looks like I'm asking "Can you tell the difference between 543 and 124?" and of course the answer is yes. But the real question I'm asking is, "Can you tell if a number secreted away in the corner of a busy webpage that you probably don't even know exists and have probably forgotten about if you did changes from 124 to 543?" I think that if you're honest with yourself, the answer is no.
It's a good brainstorming idea, but I don't think that's going to help much.
On the other hand, customizable interfaces would probably help a lot, but that's a lot of work, and you're going to have to half-force people to do customizations if you want it to work, because most people would just stick with the default. Perhaps randomize (within reason) some of the customization parameters? Sure, it'll add support load, but so does phishing, so you'd have to do a careful analysis to see if you come out ahead; it could go either way.
I just RTFblurb... the point was to have the browser do skinning based on the web site being visited. Which still doesn't help when the user is not using his/her normal computer, and still takes effort to set up the skinning.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
It would seem your "someone kill Slashdot" and "I love Slashdot" statements are a bit at odds. But seriously, I have been blocking /. ads since forever. But I buy a lot of stuff from Thinkgeek, so that kind of makes up for it, eh?
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
on the other hand, looking at the status bar while hovering over the link will show what's at the link. well, it works in mozilla and firefox; i wouldn't know about that "intarweb expoiter" thing ..
To defeat this, the attacker just needs to correctly copy the bank's page (or whatever). Images, style sheets, etc.
... which works until there is a way to fake that display.
... and require that the bank call the customer at the customer's phone number and verify that the transaction is authorized.
No matter what the user does to his/her browser, the bank's page will be displayed with the same mod's as the phishing page. If you over-mod your browser, then the bank's page will look weird anyway and this can make phishing even easier.
She had a good idea in showing how many times you had already visited that page
The only way to really defeat phishing is to only use the web interface to start a transaction or to view information
"Two participants in our study stated that in general, they
would only question a websites legitimacy if more than
the username and password was requested. One participant
actually submitted her username and password to
some websites in order to verify if it was a site at which
she had an account.
!!
She stated that this is a strategy that
she has used reliably in practice to determine site authenticity.
Her reasoning was Whats the harm? Passwords
are not dangerous to give out, like financial information
is."
I just had an, imo, very 'intrusive' ad here on the frontpage of Slashdot: The reason why I report this is the fact that I am not a subscriber, but also don't use any ad-blockers on Slashdot (nor on other sites), as I think it's a fair deal: I get to read/write for free and they serve me ads which will give them some money in return.
I don't mind the banners, animated or not: But I think this one (have a look at the screengrab ) got a bit too intrusive, or at least very annoying: Once you roll-over the normal banner, it changes in that one shown in the screenshot, taking up almost half of your screen.
Going back to the original banner (by hovering off the big-size banner), I noted that, in smallprint, it warned (?) that, on mouse-over, it would pop-up the bigger one: That, imo, does not justify it though (since the banner is on top, there's a big chance of hitting it by mistake with your mouse pointer).
Again, the reason why I made this post is not that I think (as a non-subscriber) I got any right to 'complaint' about something I receive for free: Just that -because- normally the ads are non-intrusive, I don't bother with blocking them.
PEBKAC!
Windows has more viruses because linux has more virus coders.
Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.
There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."
Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.
Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.
GetOuttaMySpace - The Anti-Social Network
how much intelligence and technology has to be applied to reduce the effects of people's stupidity. The more stupid/gullible/apathetic/lazy people are, the more sophisticated/integrated/processor-and-storage-int ensive applications have to become. Maybe we're just enabling people's stupidity by doing this. Eventually, as people's intelligence goes to zero, the number of processor cycles to protect them from themselves will become infinite.
In theory, there's no difference between theory and practice. In practice, there is.
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent
Not quite as this was the full email http://capitalone.bfi0.com/T5RT041F5630D4833B331E8 E0A79A0 I left all the other stuff out.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.
Do they let you upload your own picture, or do you select from a list of what they provide? If the latter, then the phishers know what the stock photos are. Say there are twenty of them. The phisher picks one. He may have eliminated 95% of the people he sends his bogus pages to, but he's just gained a ton of credibility with the remaining 5%. That might be worthwhile for him.
In theory, there's no difference between theory and practice. In practice, there is.
How about using the same technique SSH uses: If you come on a site that has the same IP but with a different key or the same key with a different IP: BIG WARNING THAT THIS SITE OR THE COMMUNICATIONS IS POSSIBLY COMPROMISED and provide a link to customer support in case that happens. SSL Certificates just check whether your communications is securely established and I won't examine that certificate everytime I connect. When you want to do Internet banking or something similar, your bank should give you a key on a read-only USB disk or something and the possibility to boot a Damn Small Linux from that disk. My bank did that for a while, but I guess they fell back on just providing the key probably because of the support issues with DSL and xDSL, USB Modems, Winmodems and other crap like getting the VPN through the users' firewall and you had a browser but couldn't go anywhere but the bank's sites. But I have another bank account that just requires a username and password and you're not even on the secure part by then. How dumb is that? I avoid using my Internet banking just for that. The people at the branch sometimes ask why I don't do those simple things (like transferring money) through their site. I am running only Mac and Linux but still I don't want anyone connecting because they keylogged my password - some users might have troubles putting a good password in the first place (insert oblig. spaceballs password quote here). My webmail is more secure than their site (RSA SecurID key required for that), so they could at least do SOME effort like giving me something similar to SecurID for their site.
Custom electronics and digital signage for your business: www.evcircuits.com
Slashdot Burying Stories About Slashdot Media Owned
I swear that some marketing departments get their e-mail designs from looking at spam. I've have seen some legit corporate e-mails that look so close to previous phishing spam that you would think that they did it on purpose.
The only explanation that I can think of is that they see the phishing spam e-mail, think that it's from their own company, and then design new e-mails to look the same.
Doubt it? We're talking about the marketing department....
I do not know how to do the programming but if bogus userids and passwords were entered into the bogus phishing portal, then the cost of doing business for the phishers would get very high. It would be nice for the antivirus software we would buy to allow you to opt in to "punish the phishers." This would give them permission to send your computer the link and code to fill in the phishers web site once identified. Several million useless userid and passwords (created to look legit) should shut them down.
Admittedly off-topic, but you might want to look into ditching any CapitalOne credit cards you have. They've been using a somewhat questionable reporting practice recently of only telling how much you have on your card to the reporting agencies, rather then the amount you have and your maximum. The credit agencies, with only the one number, assumes it to be both your current limit and the amount you're using - in other words, that you're using 100% of your credit. This can really screw your credit score.
:)
(If you're curious as to the source of this info, check out Clark Howard's website - if you haven't heard of him, he has a talk radio show and a few books about personal finances)
Just an FYI
This is an interesting point. That is, yes, people, err, users, like to customize. Some of them. And then usually in the form of garden gnomes and a matching backdrop. Many, however, never even change the backdrop nevermind the look of their desktop menus so that even years on they still use the factory shipped teletubbyland and matching green and blue menubars.
I think that the question who customizes what, and what not, and who doesn't, and then the why of it all, needs more investigation before one can hope to use this to battle phishing.
End users cannot distinguish well between legitimate sites and phishing sites. Adding in sugar such as the date of the user's last login is helpful only as a positive reminder that the user is on the right site. It's better than nothing, but not by a factor of 10.
Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increasingly "locked down" web browsers, c) web site "reputation", and d) better anti-phishing protection in email services and software.
Companies like Cloudmark leverage a vast and very active user community to almost instantly detect and mitigate new phishing campgaigns. IronKey, founded by the president of the Anti-Phishing Working Group, is developing hardware tokens for authentication. IE7 and Firefox continue to improve their defenses against XSS attacks and the like. And there are good efforts underway to develop URL reputation systems that can help users avoid browsing sites that are dangerous.
Unless this is a highly targetted and customised phishing attack. Collaborative filtering like cloudmark works amazingly well. You can stop a phishing attack spread within a few minutes. Here is more info on collaborative filtering or google for it.
On several fronts...
.
I think it is a interesting to see that researchers are trying to find ways to get Joe/Jane user to recognize that WYSINWYG with every website they visit. So maybe there are a few flaws in these folks' ideas... but they're trying to get education out (at least, on some level).
Educate yourself about the changing face of phishing. Help other folks by helping them understand phishing. Don't hesitate to try to find a way to reduce phishing.
Report phishing... if you can report it to the people whose site is mimiced, then do so. At least, you can report the phishing attempt to The Anti-Phishing Working Group
By the way, sometimes I'm a little slow (what's new?)... for those of you like me who didn't know what "PEBKAC" meant, here's the Wikipedia definition.
A Passionate Independent Musician
She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces
We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.
What I want to know is why none of these dumbass banks use S/MIME to sign the e-mail they send out.
Mozilla Thunderbird does S/MIME. Mac OS X Mail does S/MIME. Lotus Notes does S/MIME. Even Microsoft Exchange does S/MIME.
Sure, it wouldn't solve the problem, but it would at least give clueful users a dead easy way to see if the e-mail was really likely to be from their bank.
While we're on the subject, when is Gmail going to support S/MIME?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Maybe somebody could explain to me why this wouldn't work. It's trivially simple to implement.
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"
Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.
Lots of people here seem to assume that somehow the skins are for the web site, or overriding CSS elements, or whatever, which is just not the case. What she was talking about with those skins is: fake UI. Nothing more, nothing less.
.gif images in the page itself. The page is, say, a frame set with three horizontal frames: one at the top, with a faked toolbar and URL bar (with the correct URL of the bank in that .gif, and correctly colour coded as if it were Mozilla saying it's HTTPS), the login page in the middle, and a faked status bar at the bottom (complete with the padlock icon telling you it's secure.)
E.g., let's say that you got your old mom to use Mozilla, so she has _both_ the coloured URL box _and_ the padlock on the status bar as indication that she's indeed at a secure site. I'll assume you've also educated her to carefully read the URL up there.
So noone can fool her now, right? I mean, right? Well, wrong. One attack method they used in that study was fake UI.
So let's say your mom now lands at some www.phishers-r-us.ru site pretending to be her bank. The site doesn't even use SSL or anything. How can that site spoof all those checks both up there in the browser's toolbar and down there on the status bar? Simple. Fake them.
So the site gives you a javascripted popup, requesting a window without those interface elements. But fakes them as
_That_ is the problem. Fake UI fools most users.
So the researcher's idea is basically, "I know, so let's encourage each user to skin their own UI." So let's say your mom has set her Mozilla UI to be brushed blue-hued metal, the colour for HTTPS URLs to be green, and the padlock icon to be replaced by a thumbs up icon. The fake UI site can't know that. So when they show her a page with the UI in the default colours and icons instead of hers, hopefully your mom will know that it's faked UI. It doesn't look like her other browser windows.
Now personally I think the idea isn't that great anyway, since (A) it requires users to actually do that, and I'll bet most will just click on the default theme and be done with it, and (B) because it's working around what I consider a fucking stupid mis-feature. IMHO there's no need to allow browser windows without an URL bar and without a status bar in the first place. In an age where those are the main (and often only) things that can warn you against such attacks, allowing a site to disable them is just stupid. So just disable the option to hide the UI and, voila, suddenly noone can fake that UI any more. It's that simple.
A polar bear is a cartesian bear after a coordinate transform.
Organized crime is notoriously difficult to fight in the first place. When the criminal syndicate is overseas, all the problems of cross-border law enforcement collaboration pop up. To make matters even worse, quite a few botnets and phishing scams trace back to corrupt countries where the police are in on the racket. I do not recommend flying to Belarus and trying to break the knees of someone who has an under$tanding with the local gendarmes.
Also be sure to keep in mind that 2-8% of men (depending on who you ask) can't distinguish red from green.
This story is useless without pics.
Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.
FTA: Participants proved vulnerable across the board to phishing attacks. In our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.
No check for "familiarity with elementary principles of cryptography" giving a correlation. I suspect that anyone who recognize the significance of the names "Alice, Bob, and Eve" will probably be far less vulnerable than average.
I'll also note that while they claim: "There is no significant correlation between the score and the primary or secondary type of browser or operating systems used by participants", their breakdown of participants indicated no Linux users were studied. Of course, Linux users are a weirdo minority, but I would be curious.
//Information does not want to be free; it wants to breed.
I wanted to moderate "Interesting", but my scroll wheel rolled it over to Flamebait, by mistake. I know I am going to lose my mod points for this, but at least it will undo my mistaken mod.
I'm much more funny, interesting and insightful than the moderators think
That's why I go Blast Phishing.....
-----
Sig Sauer
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
TFA and the ensuing discussion is informative, interesting, funny and elevating (mostly). No other comment. I am not worthy.
"No fear. No envy. No meanness." Liam Clancy
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
You can actualy go one better today, without telling your bank what you are doing.
Give your bank a unique email address. Never use that email address for anything else.
The odds of getting a phish on that email address are close to nil unless you or the bank gets hacked.
This is how I filter virtually all phishes to date. If it arrives on an address not known to the entity being represented, it's obviously a fake.
Comment removed based on user account deletion
Phishing works because people are idiots.
"Ohhh! A monkey is asking for my credit card number. That sounds reasonable and fair!"
There are those 'surveys' (many posted around slashdot) that want you to pick the phishing attempts.
Look at any major company- financial institutions, etc- they never send you e-mail. they never ask for your e-mail. You never get credit card info via e-mail.
This is where paypal went wrong- they depend on e-mail, and for anything that deals with money, there should never be an e-mail address on file.
-M
when you see the word 'Linux', drink!
Same. Actually, it went into the range of the 'large' ad and the large ad came out. I don't have Adblocker but I'm seriously considering it now.
Please, for the good of Humanity, vote Obama.
I believe it is possible to change your login ID from the originally assigned one. I use this option when it is available. Try the link on the home page labeled, "Forgot or need help with your ID?" The limitations on the ID are pretty liberal:
Online ID Format
Must be 6 to 32 characters
Can also contain these characters:
at symbol, number symbol, asterisk, open or closed parenthesis, plus sign, equal sign, open or closed brace, forward slash, question mark, tilde, semi-colon, comma, period, hyphen or underscore.
Can contain all letters, otherwise must be a combination of 2 character types (Alpha, numeric & special)
Cannot contain spaces
Cannot be the same or contain your Social Security number or Check Card number
How about instead of never replying to phishers, always replying to phishers?
If phishers had to wade through 5,000 responses to find the one dupe, the ROI wouldn't be there.
Hey, I've got to start putting those lessons from Nicholas van Rijn to use sometime. For those who haven't read Poul Anderson, van Rijn could teach the Ferengi a few new rules of acquisition: http://en.wikipedia.org/wiki/Nicholas_van_Rijn