Tuesday, August 17, 2004
Technology to help protect against phishers
The theory
Some of the best ideas are the simplest. Core Street makes a little browser addon for Firefox and for Internet Explorer. All it does is show you what page you're actually on. (If you're rude you might ask why the browser can't tell you that on its own). Then when a scammer tries to impersonate your bank you have a chance of seeing through the scammer's disguise.
The word on the street is that it works smoothly.
The author of the addon (called "Spoofstick") is up-front about the addon's limitations. It's not supposed to be a panacea.
The practice, or, street smarts beat technology
Someone who gave his name only as "John" says he found a way to fool Spoofstick into displaying the wrong location.
Jonathan Penn, an analyst specializing in messaging security at Forrester Research, points out that one scammer registered the domain visa-security.com. Spoofstick would report that yes, you really are on visa-security.com, but it would have no way of knowing that visa-security.com had nothing to do with Visa. Lookalike domain names are a common trick. A famous example was someone who set up a domain called paypa1.com, with a numeral one in place of the final "l" in "paypal".
My advice is to treat email like you would a phone call. If someone asks for your credit card number over the phone, you know to stop and think about whether you placed the call. Similarly, don't type in your eBay password unless you're the one who typed in eBay's web address.
|
Some of the best ideas are the simplest. Core Street makes a little browser addon for Firefox and for Internet Explorer. All it does is show you what page you're actually on. (If you're rude you might ask why the browser can't tell you that on its own). Then when a scammer tries to impersonate your bank you have a chance of seeing through the scammer's disguise.
The word on the street is that it works smoothly.
The author of the addon (called "Spoofstick") is up-front about the addon's limitations. It's not supposed to be a panacea.
The practice, or, street smarts beat technology
Someone who gave his name only as "John" says he found a way to fool Spoofstick into displaying the wrong location.
Jonathan Penn, an analyst specializing in messaging security at Forrester Research, points out that one scammer registered the domain visa-security.com. Spoofstick would report that yes, you really are on visa-security.com, but it would have no way of knowing that visa-security.com had nothing to do with Visa. Lookalike domain names are a common trick. A famous example was someone who set up a domain called paypa1.com, with a numeral one in place of the final "l" in "paypal".
My advice is to treat email like you would a phone call. If someone asks for your credit card number over the phone, you know to stop and think about whether you placed the call. Similarly, don't type in your eBay password unless you're the one who typed in eBay's web address.
# posted by Frederick @ 9:09 PM Email to a friend:
Haloscan: they provide trackback