100 likes | 186 Views
The Future of Phishing. Ross Anderson Security Group USEC 2007 15 Feb 2007. Background. Trojan logon scripts in 1970s – now we have ‘trusted path’ (ctrl-alt-del). In 1990, ‘password fishing’ referred to false terminals
E N D
The Future of Phishing Ross Anderson Security Group USEC 2007 15 Feb 2007
Background • Trojan logon scripts in 1970s – now we have ‘trusted path’ (ctrl-alt-del). In 1990, ‘password fishing’ referred to false terminals • Social engineering – ‘pretexting’ long used to get passwords (and everything else).Example: bogus bank staff request PIN for stolen card. • Combining these threads: the spelling ‘phishing’ appeared in 1996 in the context of AOL password solicitation
Background (2) • As the security technology improves, attacks will inevitably shift to target people • Our pretexting research in 1996 • Greening, ‘Ask and Ye Shall Receive’, SIGSAC Review Apr 96: 138 of 336 students mailed in a passwordon request; most changed their password • OPSEC is hard enough for staff – next to impossible for customers • 2002: Mitnick publishes “Art of Deception”
Background (3) • First electronic banking service to retail customers – Bank of Scotland 1984 • Account nomination – customer had to specify recipients and limits in writing • Also, one-time passwords (paper list) • Nomination, and distinction between ‘safe’ and ‘dangerous’ transactions, vanished during the dotcom boom • Instead, contract terms used to dump risk
Developments in 2003 • First chip and PIN skimmers appear in Italy • CAPTCHAs take off, initially as a spam countermeasure for email services & blogs • Signs that online criminals were getting organized and specialized – different groups would steal card numbers and do cashout • First six reported cases of phishing for bank passwords
Phishing • ‘Victims are lured by an email to log on to a website that appears genuine but that actually steals their passwords’ • Early attempts were crude and greeedy – but the phishermen learned fast! • Genuine bank emails used, or clever psychology (‘thank you for adding a new email address to your paypal account’) • Losses now 8 figures UK, 9 USA. In UK, one bank took £30m of £36m losses last year • The Rockfish gang
Banks make it worse! • Paypal, Xmas 2006, directs customers to a competition at paypalchristmas.co.uk (owned by a small marketing company) • Halifax Share Dealing Services sent out a spam with a URL not registered to the bank, and its fraud department initially agreed it was a phish (until its was reported to the ISP for takedown)!
Countermeasures • ‘Blame and train’ – long known to not work in safety-critical systems • ‘Check the English’, ‘look for the lock’, ‘click on images but not URLs’, ‘parse the URL’ • Phishermen good at turning advice round • Various psychological reasons why this strategy is unsound (fundamental attribution error, default from ‘physics’ to ‘social’ processsing mode, …)
Countermeasures (2) • Link to machine – password manglers / TC / client certs / browser password cache (but: banks resist mechanisms that stop roaming or that aren’t universal) • Soft keyboards (but: not too hard to defeat) • Toolbars (but: see Jackson et al) • Two-factor (but: real-time man-in-midle) • Multi-channel, such as SMS (but: ?)
What next? • Security in the old days depended on back-end controls, plus front-end authentication • Banks since 2000 or so have tried to get the front end to carry all the load, as it’s easier • I doubt this will work! We should expect the return of back-end controls • Why should a bank customer expect to be able to mortgage his house and send all the money to the Phillippines, from an Internet café in Peshawar? • Liability will also matter …