About The Blog

Debate at the intersection of business, technology and culture in the world of digital money, both commercial and government, a blog born from the Digital Money Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« From me to you | Main | Alliance & Leicester to launch two factor authentication »

Phishing again

By davebirch posted Feb 27 2006 at 11:41 AM

My good friend William Heath reported on his quite interesting Ideal Government blog how an intelligent member of the general public (in this case, himself) found it impossible to distinguish between legitimate bank communications and phishing attacks. Recently, via the excellent Payments News, I was alerted to an article containing the detailed anatomy of a 3D Secure phishing attack. As this shows, even a tolerably well-informed person finds it hard to keep themselves safe.

Technorati Tags: , , ,

The article shows how difficult it is for members of the general public to stay clear of phishing and similar frauds even if those members of the general public have been told about the frauds and have taken steps to validate the communications. The solution, naturally, is better authentication. In the world of cards, as opposed to home banking, the card associations have been pushing out 3D-Secure (3DS) for authentication. If you don't know what 3DS, it is the technology behind the Verified by Visa (VbV) and MasterCard SecureCode initiatives. MasterCard have a good online explanation of how it works. Bizarrely, I happened to stop to buy something online while I was writing the first draft of this article and found myself at a 3DS-enabled merchant. This is what I saw:

Maestro-24Feb06

Clearly some way to go on the useability/stability front. I'm not picking on Visa and MasterCard 3DS implementations here, just illustrating that things go wrong even in well-designed and well-organised transaction environments. Here -- and I swear this was just a coincidence -- is what happened when I tried (on the same day!) to check the last few transactions on one of my American Express cards:

Amex-24Feb06

So what are consumers to do? They can't tell the difference between a site that's doing what it should and a phishing attack, they see crashes when they visit financial services organisations web sites (which must undermine confidence) and even if they take the trouble to understand SSL and certificates, they are presented with meaningless gibberish from companies they have never heard of. No disrespect, but Verisign means nothing to my mum.

Barclays-24Feb06

In fact, as Ian Grigg of Financial Cryptography pointed out at the Digital Identity Forum a couple of years ago, there is a general problem at the intersection of security and brand. There is no brand associated with SSL certificates -- no brand that has any resonance with the general public -- and no obvious way for such a brand to develop (because public key certificates mean nothing to the general public).

Microsoft has been attempting to work with other browser developers to get the certificate authority names into the browser window alongside the padlock. But it's not certificate authority brands that are, or should be, relevant to consumers. Shouldn't it be bank brands there? Whether they are visiting their online bank or shopping or whatever, wouldn't consumers feel more comfortable trusting their bank than anyone else?

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef00d834b0453e69e2

Listed below are links to weblogs that reference Phishing again:

» Education policy from Digital Money Forum
Summary [Read More]

Comments

thank you for this post .i learned pishing attack

thank you for this post .i learned pishing attack

It's easy enough to tell a phishing email - as banks repeatedly tell us, they will not email us to ask for that sort of data. Plus, any use of the word 'earnestly' in business communication is to be treated with suspicion. But as William says, it's the type of attack where you start from a bona fide website and you get diverted to something rather more phishy that is the problem. My marketing mind says that there is a huge opportunity here for someone.

The comments to this entry are closed.