September 20, 2005

Phishing in Pogo's Swamp

This week's phishing roundup starts with (thanks Lynn) sighting of a HTTPS phish. The attacker used a self-signed cert, and as we know browsers commonly fall to self-signed MITMs because of the popup madness ...

A new, advanced form a phishing dubbed "secured phishing" because it relies on self-signed digital certificates, can easily fool all but the most cautious consumers, a security firm warned Thursday.

Browser manufacturers were warned of the problem, were told how to fix it, and even given fine demos. Opera reports that it has made its browser ad-free. Welcome, but I continue to be confused about Opera's security - they claim:

Already regarded as the world's fastest, most secure browser, Opera speeds up your Web browsing with these innovative features: ...
  • Protect against identity theft and phishing with integrated security features
  • yet looking at the screen shots on the page it seemed very much like last time I looked - underwhelming. Opera practically haven't updated their security beyond the default Netscape model of 1995, so to say it's the world's most secure browser is just marketing hype; it seems more to me that Opera is fighting with other browser manufacturers for the award of "browser least responsive to user security needs."

    Meanwhile, evidence is beginning to accrue that the US (at least, the non-techie part) is starting to take the issue seriously, and americans do not like what they find...

    Adam reports on 'the story of a mother whose child was stillborn, and her inability to get the marketing to stop, from "A Lost Baby, and the Pain of Endless Reminders in the Mail," in the New York Times.'

    My first reaction was shock, then anger. Why did the baby formula company have her due date? I had shared our baby's due date with only two businesses: my health insurance company and a Web site for expectant and new parents. When I registered to enter the Web site, I specifically requested that it not share my information with third parties.

    And also on how mandatory ID cards will make for yet another database full of SSNs as yet another aid to identity theft. Good stuff. There are now a steady stream of reports of surveys that suggest that Americans will leave their banks if they get hit by identity theft. Glenbrook points at EDS slams banking security - Financial Services

    Gartner suggests that this is part of a $50bn problem. When they numbers get that big it makes for a lot of difficulty rationalising them ("oh, it's less than Katrina, so that's ok?") but a careful reading doesn't seem to challenge the overall level of phishing at about a $1bn problem. It might have stabilised at this point.

    Litan said that banks in Britain were far better at sharing information and working with each other to minimise exposure to this kind of fraud. The incentive to sign up new customers is great in Europe but in the US it's even more pronounced because banks send out 1,937 pieces of marketing information for every new sign-up. "The goal is getting new customers and banks are not that hungry about eating into fraud," she said.

    Here's an article that reminds us that there are two problems, not just one (the Microsoft PC is woefully infected with viruses and keyloggers and other malware, as well as your browser's inability to tell you who you are talking to...)
    "Tremendous growth of cybercrime, report says." I'd remind them not to forget that online banks aren't that secure themselves... but it seems that banks also have other problems to deal with (Perfect Storm).

    And to wrap up, (Adam again reports) chat of the underlying systemic issue - if you trade data like it was property, then you might not want to include your identity in the catalogue.

    ''As an aside [writes Chapell], some might argue that there's little distinction between "evil doer" and "data broker". I prefer to view the latter as the poster children for another unregulated industry that is screaming for the Government to step in. ... Of course, the trouble with choking off data flow is that it tends to be contrary to the concept of a free society. And since none of us seem to want to live under an EU privacy regime, then what's a privacy conscious American to do?''

    First, [writes Adam]I think that Chapell is spot on here: The gossip-mongers would love to trade higher costs in the form of regulation for limits on their liability and high barriers to entry.

    Second, the industry relies heavily on government subsidies, in the form of social security numbers, and data collected under threat of legal penalties. (Like the property registers in the article Chapell quotes, or DMV records, or voting lists.) In a free society, I can choose to be known by whatever name I like. That is a right long established in the common law. We can impose regulations on the product of government action without making ourselves less free.

    We have met the enemy, and he is us. For those readers who aren't American, Pogo's comment is a famous comic line from the 60s and inspires today's roundup.

    Posted by iang at September 20, 2005 11:42 AM | TrackBack
    Post a comment

    Remember personal info?

    Hit preview to see your comment as it would be displayed.