Microsoft: Phishing Bad, Users Complicit, Education Best Defense
Date: March 18, 2005Source: InformationWeek
By:
Microsoft Tuesday summarized the plague of phishing attacks as the "fastest-growing form of online fraud in the world today," but offered little new in the form of either advice or technology.
Among the few tidbits: use of Sender ID on Microsoft's free Web-based Hotmail service will lead to similar support for the sender authentication scheme in Outlook and Exchange later this year.
Mike Nash, the chief security executive at Microsoft, and others from companies including Truste and RSA Security, pointed to the dangers of phishing to both consumers and businesses, with emphasis on the latter.
"The long term damage phishing can do to brands is the real concern," said Fran Maier, the executive director and president of Truste, in an hour-long Webcast Tuesday morning.
Phishing attacks, which typically begin with e-mails that pose as requests from actual firms to update accounts or provide other personal identity information, direct unwary consumers to bogus Web sites that may in some cases use addresses similar to the real deal.
"Companies need to have a clear banding strategy that says, 'we never ask for anything via e-mail,'" Maier added. "Companies also have to be clear on where and how they redirect URLs to other companion sites."
Phishing can strike at businesses in other ways, said Craig Spiezle, a director in Microsoft's technology safety group. "In the business environment, there's also private information and intellectual property that can be at risk to phishing attacks," he said.
Nash and the others concentrated their advice on the educational aspects of defending against phishing attacks, in some cases coming close to blaming users for the problem.
"Users will open about anything," said Burt Kaliski, the vice president of research and chief scientist at RSA Security. "The human element," he went on, "is the weakest link."
But Kaliski also blamed ancient technology. He took the current username/password authentication scheme -- often the only info a phisher is after -- to task. "User authentication is basically the same as in the days of mainframes. There has to be a way to improve the confidence consumers have in logging in." He suggested integrating enhanced authentication within the browser or the operating system, or both as being ultimately easier than hammering into users how dangerous phishing attacks can be.
"Let's face it, users are one of the most difficult part of the process to 'reprogram,'" he said.
RSA's SecurID two-factor authentication technology recently made the news when it announced early this month that E-Trade would equip its upper-end customers with free one-timepassword tokens.
Nash spent much of the time touting spam defenses as the best way to prevent phishing attacks, even though evidence is increasing that the most sophisticated phishers are turning to other attack avenues, including malicious code and spyware, to rip off identities.
"Implement protections to reduce spam," he said, recommending multi-layered defense at the gateway, server, and end-point; relying on the more security-conscious Internet Explorer 6.0 included in Windows XP SP2 (which includes a pop-up blocker and spotlights possibly fraudulent URLs in the address bar); and publishing the Sender Policy Framework (SPF) record for legitimate business domains.
Hotmail, he said, has been using Sender ID -- Microsoft's sender authentication scheme that's partially based on SPF -- for the past two months, and has found that it reduces the amount of spam, and may trim the amount of phishing spam users receive.
Original article
Add comment
Email to a Friend
