Stop Phishing: Websites and Users Working Together 5 February, 2010
Posted by paralleldivergence in Internet, Life, My Thoughts, passwords, security.Tags: cyber-crime, identity fraud, phishing
trackback
PHISHING is a worldwide problem. Unscrupulous cyber-criminals, unsuspecting Internet users and apathetic web-service providers: It’s a volatile mix that will always benefit the crook. Hell, if the user is stupid enough to click on a link in an email message and gladly provide their user account details, they deserve what they get!
image courtesy of Financial Services Technology
But often it’s not an email that hooked the poor user. Drive-by websites that drop trojans with keyloggers onto the novice user’s insecure computer are a gold mine for phishers. A steady stream of keystrokes featuring website URLs, usernames and passwords is captured, neatly packaged and emailed off or uploaded directly into a secure database on the other side of the planet. According to Internet Security Vendor McAfee, “there has been a 50% increase in the number of detected so-called “zombie” computers since 2008“. In the four months between January and May 2009, McAfee alone detected 12 million computers that had been hijacked by cyber thieves. Even experienced Internet users have been caught out by logging on via compromised Internet Cafes or using the “free” unprotected wireless at Starbucks.
Clearly, the solution of educating Internet users to be cautious when using the Internet is a solution that is not working. The problem is getting away from us as a society and in 2007 in the U.S. alone, the cost of phishing was calculated to be $3.2 BILLION – that was up from just $2.3 billion the previous year. What it is today, we can only guess, but everybody seems to know somebody who has been a victim.
And it’s not just banks and credit cards that the criminals are phishing for. It’s account details for PayPal, eBay, Facebook, MySpace, Twitter and virtually every email service on the web. Social Networking sites are particularly vulnerable and users are even more unsuspecting when it comes to “sharing” their account information. Their goal? Identity fraud. And since many of the fraudsters are actually located in a foreign country, bringing them to justice is almost impossible.
So if making users more tech-savvy is not the answer, what is?
The vast majority of humans live their entire lives within a reasonably close distance to the place they were born – certainly they stay in the same country more often than not. If they migrate, they choose to stay in the country that becomes their new home. With this fact in mind, it is logical that if an Internet user signed up for a web service of some type in one country, they are unlikely (except in circumstances of overseas trips) to be signing on to that web service from another country. Many of us will NEVER do it.
-
How hard would it be for EVERY web service provider to identify and record the country where an account was created (or configured after the event), and then match up the country of each new sign-on request with that original country?
-
How hard would it be for the web service to reject logons if those countries don’t match up?
-
How hard would it be for the web service provider to alert the user that an attempt to logon to their account was made from another country?
-
How hard would it be for an extra question to be added to each user’s profile that says “ONLY Allow logon from the following country: [country list]“
-
How hard would it be for the web service provider to include an option for the user to turn this setting off if the user is travelling?
What are the benefits of this simple solution?
If the cyber criminal is in another country as is often the case, there’ll be an extra hurdle for them to get into your account – even if they do have your username and password. If they happen to be in the same country as you and if they eventually do get caught, then your country’s laws will come into play and real convictions will actually be possible.
Of course, nothing on the Internet is foolproof, but this simple approach can protect those hapless Internet users that are so prevalent (and costly).
Google – Yahoo – Microsoft – Facebook – On-line Banks – eBay – Please take note: You have a responsibility to protect your users from themselves. This is one simple step you can all take so others DO NO EVIL using YOUR services.
What do you think? How can we get web service providers to do this?
Parallel Divergence 
…I felt vulnerable last weekend as phishing scams are so…well, everywhere! Good ideas here, Stu!
Some great thoughts Stu and a needed reminder for myself about this whole issue.
I must admit that when I recently opened a Facebook account for the first time (to keep in contact with my son overseas) I did not give true information for my school or date of birth. While I could see the benefits to Facebook of such information (their ability to match potential contacts or associates is amazing), I really couldn’t see myself giving such valuable information freely.
Your idea to restrict logons etc from the country of registration is good but a small question; would a proxy ip site be able to confuse the country that the logon was coming from? I don’t know enough about it but I have read of these sites being used to fool other sites and download movies etc supposed to be for USA only or similar.
There is no doubt that that the whole identity issue is a huge one. Possibly another thought I have is that my Credit Union has issued me with a small electronic device that gives me a 6 digit code (different every time, changes every 60 seconds) that I must use in addition to my normal password to access my account. Not sure how it could be implemented for Facebook etc but I could see my ISP being able to do this sort of thing; certainly, to me, every bank should be doing something similar.
Yes, there are methods for spoofing IP addresses – making your PC pretend it’s IP address from a trusted location – eg – your country. But it’s an extra step that the crooks would have to take. But move it one step in the future where we have IPv6, web service providers can implement encryption and authentication which will also reduce spoofing threats.
If they were to use a proxy, they would have to use a proxy in the victim’s country.
You could also extend the restriction for logon as not just from your country, but from your chosen Internet Service Provider(s). You could save the specific domains you’d like to allow access from – eg your home and your work domains – but not from Starbucks or McDonalds (or anywhere else).
You then could choose to apply these restrictions only to your vulnerable accounts, leaving you more flexibilty with web services that you are less worried about security-wise.
The point is, this idea is a simple springboard. It’s not the be-all-and-end-all solution to this massive problem, but it’s a pretty good, easy to implement, inexpensive solution that can be extended.
A friend just had $3000 skimmed from his account, this week. Not sure whether it was the result of phishing, but this is a timely post. Something as simple is this should be easily achievable.
My bank was advised of my recent trip to Indonesia, for the simple reason that they monitor unusual activity and wanted to know about it. I felt very well serviced and supported.
Thanks Stu.
Some great ideas and perhaps as companies need realise that they don’t own their ‘space’ but merely inhabit an un-governed digital realm where no one needs to plan, agree of even admit to anything.
I think of it like the pied piper. Its not the piper or the pipe that attracted the rats – it was the music. Companies create compelling reasons to enter the metaverse and make huge assumptions on the part of those accessing their offerings. The focus on the least-worst scenario for themselves, then the users.
It seems inevitable that the internet as we know it now – popularised by commercial offerings and now sucking in so called ‘crowd content’ via social networks will suffer a Snow Crash.
I think any real change in the current fraud will come not from more virus checkers or browser blockers, but from devices that act as agents for us, creating a DMZ between us an what ever parts of the metaverse we choose to use.
Certainly a username/password seems to be a very weak way of securing some of our most personal information.
But, it would be a mighty pain if you went overseas and forgot to set Gmail to ‘holiday mode’.
It would be a worse pain to get your accounts phished though…