February 23, 2007

Any good definitions of Phishing?

Somehow I ended up on Wikipedia's entry on phishing, and added a link from the AOL playtime era to its more modern incarnation of the rape & pillage of a financial district swollen with multi-nationals, conglomerates and fat, bloated merchant banks:

Transition from AOL to Financial Institutions

Capture of AOL account information may have led phishers to capture and misuse of (real) credit card information, which then evolved to attacks against online payment systems. The first direct attempt against a payment system may have been against e-gold, "going out of biz," June 2001, and was followed by "post-911 id check" shortly after 9/11.[14] Both were viewed at the time as failures, but can now be seen as early experiments towards more fruitful attacks against mainstream banks. By 2004, phishing was recognised as fully industrialised, in the sense of an economy of crime: specialisations emerged on a global scale and provided components for cash which were assembled into a finished attack. [15][16]


Anyone can edit that page, honest injun! Also, at the top, it defines:

In computing, phishing is a criminal activity using social engineering techniques.[1]

Come on, surely we can do better than that!? What happened to the successful MITM? What happened to the failure of the browser security model? I think at least we need to inject some hubris in there: security designs failed. Sorry about that, let's get it fixed.

What are the potential definitions of phishing, then?

Posted by iang at February 23, 2007 03:27 PM | TrackBack

Here is what it means to me (coined before I looked at the Wikipaedia offering):

A speculative fraud committed via a mass emailing
which is made to appear to originate from a source
the recipient is likely to trust and which attempts
to entice them into an action advantageous to the
sender and disadvantageous to the recipient.

I'll admit that as a concocted term whose meaning has been defined by example rather than definition, interpretations may vary widely and arguing about what it should mean is as pointless as arguing about whether Pluto should be considered a planet (which was similarly decided only by decree, not logic).

I for one would never consider a pure MITM attack as phishing, because there is not necessarily any 'bait'. MITM may however may be a means by which a phishing attack achieves its impersonation, but the key to it being phishing is the 'bait' message which initiates the transaction and misdirects the connection.

Some non-email based frauds may be considered phishing by some people. But I would not have understood, for example, phone based frauds to be phishing. To me that is simple fraud.

Bottom line is that without a suitable authority that accepts it as an official part of the English language and provides an official definition, it is a matter of opinion weighted by common usage and understanding.

Posted by: Regards, Digbyt at February 24, 2007 08:06 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.