[Cryptography] phishing attack again - $300m in losses?
ianG
iang at iang.org
Sun Feb 15 09:45:08 EST 2015
http://mobile.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0
"In many ways, this hack began like any other. The cybercriminals sent
their victims infected emails — a news clip or message that appeared to
come from a colleague — as bait. When the bank employees clicked on the
email, they inadvertently downloaded malicious code. That allowed the
hackers to crawl across a bank’s network until they found employees who
administered the cash transfer systems or remotely connected A.T.M.s. "
So, it's phishing, again. Exotically called spear phishing, but still
your common or garden phishing attack.
I am fascinated by the industry dynamics that make this attack
impossible to deal with. We first saw serious phishing in about 2003,
and here we are a decade later .. with what progress?
It is clearly the fault of the browser [1]. All the finger pointing --
user responsibility for social engineering, mailer, standards -- is just
that, finger pointing in ways to move the angst away from the mind of
the owners of the browser projects. The successful strategy for doing
nothing has been a mix of "It's not our fault" and "we're working in XYZ
cartel..."
The industry has cleverly constructed itself in a deadly embrace between
browsers, standards, liability dumping contracts, IETF working groups,
CAs, auditors, developers, lawyers who never-admit-nuttin, all of whom
collectively share the responsibility and all of whom individually
manage to actually take on none of it.
But they take the fees.
And, it isn't as if we can't calculate the value of the take. Mozilla
for example takes something like 85% of its revenues from one source,
google, for one purpose, browser advertisement, which serves as a pretty
good proxy for the value of Firefox to users. Audit fees are known
numbers, at least to industry insiders. CA pricing is known, as is the
occasional buyout windfall. Developer salaries are known, and they can
be counted and summed.
I'm fascinated because this situation should not by all our
understanding of life, the universe and everything about security last.
The user is loosing money and has been for a decade now, and the
browser vendors do ... nothing? Approximately?
How is this deadlock to break? Will someone actually put real
authenticating crypto into the URL? Will someone invent a new identity
concept that works? Will the browser vendors be sued for their millions
in the bank by some group of ... upset banks? Will the banking
regulators finally do something that actually sounds like proactive
security not 'best practices'? Will someone start asking phishing
victims which browser they used? Will someone advertise a hardened
browser for a price? Will a government get hacked and decide to
actually ask why the browser isn't doing the job? Anti-trust?
I don't have any answers, but as I say, it is fascinating that we're
looking at an industry structure that has concreted itself into
user-insecurity.
iang, watching phishing since 2003...
[1] of course, the industry does not agree, but Bill Gates did:
http://financialcryptography.com/mt/archives/000361.html
More information about the cryptography
mailing list