Solution To Phishing: Ignore All Requests For Info
from the email's-dead-for-info-requests dept
As people are trying to come up with a “solution” to the phishing problem, it appears some people have come up with a perfectly workable solution: don’t respond to any email asking for personal info, no matter how legitimate it looks. Part of the problem is that the phishing scams are very, very realistic looking. However, a bigger part of the problem is that banks and other companies don’t take the threat seriously. Thus, they end up sending out mail that looks just like the mail phishers send. Because they still send out emails like this, they’re effectively killing email as a channel of reasonable communication about account info. People are simply going to default to ignoring everything, just in case it’s a scam.
Comments on “Solution To Phishing: Ignore All Requests For Info”
phishing
I recieved a genuine email from one of the issueing banks that I called and determined from them to be legitimate. It looked exactly like all the phishing ads, and I told them it was stupid to send me anything like that and then expect me to reject the fake ones. I figure I am a bit smarter than most and certainly more suspicious, and wondered what a less informed user might make of it and respond to the wrong one.
I told them one thing they should do is send out all emails with HTML and with only text links. If everyone saw the exact URL, and could not be fooled by highlighted URLs that were different from their links, then that would cripple one method the phishing people use. the URL that is highlighted (usually blue) says one thing and the actual link is something like “http://65.whatever/ off in north korea, or nigeria.
they said that I could tell because it had their logo and some of my personal info in it that the phish ads would not.
i pointed out if someone had obtained that i had one of their cards, they could send out phish ads with 99% of what they had in their ad (only need to get my email address, and send me a phish email with each of about 10 or 15 major credit card issuers, and they are bound to hit the one I have.
Jim
There is a solution
The key is for banks to start using private email networks to communicate with their customers. This allows them to send authentic information to customers and to allow customers to interact with the institution in a safe and protected environment. One of the first networks doing this is Capango (http://www.capango.com). Look for more financial institutions to find their way to this as the only alternative that will allow them to electronically communicate with customers.
Re: There is a solution
I don’t think I need someone other than going to the bank’s web site and communicating with them there. I would object stongly to some third party getting involved.
The only question I see is why does the bank need to send me an ordinary email telling me to look at the web site when I am perfectly capable of going there when I wish w/o that.
As I said earlier if they want us to go to their portals or web sites, or programs that do direct banking, don’t send a link integrated right into the thing to go to that site. And explain that no email will ever point to the portal, ever, you have to figure your own way out to get there.
Then the phishing guys are out of business if someone is directed to a site that solicits their personal info.
your solution would still solve nothing if an innocent was directed to go check their capango account and were scammed out of the necessary info that way. still screwed.
Re: Re: There is a solution
But if the customer and bank want two-way communication, then there needs to be a medium. Email is a medium that works, but the public email system (“@” email system) falls flat on its face.
Banks may want to notify customers of any various items and they cannot just wait for the customer to visit the web site. Online banking, with approval proceses, is a classic example.
The private email network allows institutions to send information via a private email that cannot be spoofed. So the customer knows exactly what to look for in the private email. It is built-into the network system, not just an HTML tag in an SMTP email.
And this goes well beyond just your bank. Think of insurance, loans, credit card, and so many other trusted institutions that want a two-way electronic communication channel. Don’t give that up just because the first try at it (the public “@” email system) failed. We just need to evolve.
Re: Re: Re: There is a solution
Paul,
I hear what you are saying. I think you overlook that you and I as obviously more serious computer users, or at least serious enough to come back to this thread in a timely fashion, tend to look at email and probably interesting web sites quickly. probably 50 % of those I help and mentor won’t go to their email any faster than a bank web site, so the medium as you say is not the problem. People may evolve, but I say that they can go to the web sites with security better than they can rely on crap drifting into their inboxes, like the current email system.
If you have to go to a web site, now you can get a secure connection that you initiate, and therefore can trust.
I will resist for a long time anything that comes to my email inbox and I have to wave a wand over to verify.
A system to do what you wish to have people do, and what I do by hand now, is not yet invented or thought of, or there would be another internet millionair out there now.
Looks like sendmail and yahoo are doing something, but I have not looked at it.
I reject having a commercial entity, or to any of these pay to send schemes in my email system. We’ll end up with the same crap we have with ATM’s debit cards, and no security there, and it still will cost $$.
Jim
E-billing can solve phishing!!!!
E-billing offers creditors the opportunity to send customized sales messages to recipients cost-effectively. Even messages sent to large segments of a utility company’s database, for instance, can appear personalized for the recipient.
Companies are able to use business rules to personalize every aspect of their communication. This includes highly targeted offers, rather than generic bill stuffers that no one ever reads.
Companies can also conduct surveys [and] send out newsletters or service-change notifications.