The Future of Phishing

1
The Future of Phishing

• Ross Anderson
• Security Group
• USEC 2007 15 Feb 2007

2
Background

• Trojan logon scripts in 1970s now we have
  trusted path (ctrl-alt-del). In 1990, password
  fishing referred to false terminals
• Social engineering pretexting long used to
  get passwords (and everything else).Example
  bogus bank staff request PIN for stolen card.
• Combining these threads the spelling phishing
  appeared in 1996 in the context of AOL password
  solicitation

3
Background (2)

• As the security technology improves, attacks will
  inevitably shift to target people
• Our pretexting research in 1996
• Greening, Ask and Ye Shall Receive, SIGSAC
  Review Apr 96 138 of 336 students mailed in a
  passwordon request most changed their password
• OPSEC is hard enough for staff next to
  impossible for customers
• 2002 Mitnick publishes Art of Deception

4
Background (3)

• First electronic banking service to retail
  customers Bank of Scotland 1984
• Account nomination customer had to specify
  recipients and limits in writing
• Also, one-time passwords (paper list)
• Nomination, and distinction between safe and
  dangerous transactions, vanished during the
  dotcom boom
• Instead, contract terms used to dump risk

5
Developments in 2003

• First chip and PIN skimmers appear in Italy
• CAPTCHAs take off, initially as a spam
  countermeasure for email services blogs
• Signs that online criminals were getting
  organized and specialized different groups
  would steal card numbers and do cashout
• First six reported cases of phishing for bank
  passwords

6
Phishing

• Victims are lured by an email to log on to a
  website that appears genuine but that actually
  steals their passwords
• Early attempts were crude and greeedy but the
  phishermen learned fast!
• Genuine bank emails used, or clever psychology
  (thank you for adding a new email address to
  your paypal account)
• Losses now 8 figures UK, 9 USA. In UK, one bank
  took 30m of 36m losses last year
• The Rockfish gang

7
Banks make it worse!

• Paypal, Xmas 2006, directs customers to a
  competition at paypalchristmas.co.uk (owned by a
  small marketing company)
• Halifax Share Dealing Services sent out a spam
  with a URL not registered to the bank, and its
  fraud department initially agreed it was a phish
  (until its was reported to the ISP for takedown)!

8
Countermeasures

• Blame and train long known to not work in
  safety-critical systems
• Check the English, look for the lock, click
  on images but not URLs, parse the URL
• Phishermen good at turning advice round
• Various psychological reasons why this strategy
  is unsound (fundamental attribution error,
  default from physics to social processsing
  mode, )

9
Countermeasures (2)

• Link to machine password manglers / TC / client
  certs / browser password cache (but banks resist
  mechanisms that stop roaming or that arent
  universal)
• Soft keyboards (but not too hard to defeat)
• Toolbars (but see Jackson et al)
• Two-factor (but real-time man-in-midle)
• Multi-channel, such as SMS (but ?)

10
What next?

• Security in the old days depended on back-end
  controls, plus front-end authentication
• Banks since 2000 or so have tried to get the
  front end to carry all the load, as its easier
• I doubt this will work! We should expect the
  return of back-end controls
• Why should a bank customer expect to be able to
  mortgage his house and send all the money to the
  Phillippines, from an Internet café in Peshawar?
• Liability will also matter