My inbox has been overflowing with some amazing phishing scams in the last few weeks, some of them sufficiently impressive for me to start analysing their inner workings in some depth.
The definite trend is towards turning these fake websites into very high quality imitations of the originals. Gone are the shoddy graphics obviously lifted at random from the real one, the slow link to a site in the middle of China and the lack of SSL certficate (or a self-signed certificate). The latest sport a fast link, often at a co-lo site in Europe or the USA, perfect graphical imitation and an SSL certificate which raises no warnings (we shall leave the obvious rant against the quality of verification by the issuers for another time).
So why are they successful? Well, I think that it is high time that the banks took part of the blame.
The best one by far to land in my inbox was "hsbc-validate.info", now long dead (hence the lack of link), which would have had been perfect except for one little mistake in the SSL-secured login page. The real HSBC private banking page in the UK asks you to enter your login identifier on one page and then opens an SSL-protected smaller window which repeats the login identifier back to you before asking for date of birth and security digits. The fake page made the mistake of requesting that the login identifier be re-entered in the SSL-secured page. Was everything else believable? Yes, so much that before reporting it to HSBC I made double sure that the domain had not been registered by HSBC.
You might think: you idiot, no e-bank ever sends you e-mail. Well, you would be mistaken and gravely so: there is at least one UK e-bank which sends e-mail regularly, Egg. So, there is at least one ideal phishing candidate.
So what, you continue, if you are stupid enough to believe that you should re-enter your details then you deserve to have your account emptied. Indeed, normally the people who say so claim to have "never" fallen for any scam. Of course not.
How many pensioners get robbed of their money every year by fake council workers, phone company engineers, electricity meter readers, etc.? Are they all stupid? No, they are quite simply targeted because their defences are lower than the average person for a number of perfectly valid reasons: their eyesight might have deteriorated to the point that they find it difficult to distinguish photos on fake id cards, for example, or they are so lonely that the idea that someone would actually care for them is reason enough to open their door wide.
Similarly, how many people click on virus-infected attachments every day? Thousands if not millions including some of the same people who claim "never" to have fallen for a scam...
So it is time to consider how various states have dealt with the problem of pensioners being robbed of their money: by educating them. It isn't such an amazing idea if you think about it. By giving enough information to a pensioner so that he can distinguish between a fraudster and a real meter reader you have allowed him to protect himself. You need not give a three-hour course on uniform recognition with yearly updates whenever uniforms change, you simply need to advise them on a few simple tricks like not opening the door immediately, ringing the electricity company if there is any doubt whatsoever and so on.
Enter the media by which this education is delivered. It is pretty clear to everyone that a simple leaflet in the mail will not do the trick so you send out instructors to various aggregation points, be it churches, social and recreational clubs or day clinics. Why does this work better? Because you have immediate feedback: how do you check if someone has read your leaflet?
Now let us return to our original subject. What do banks do to attempt to prevent phishing? Have a look at HSBC, they have a banner on the main page, centered above the box where the login identifier is entered which states:
"Customers are reminded that we will never send you an email with a link asking you to enter or confirm your bank details. Such emails should be ignored and deleted."
A link from the words "more information" just after the quote above takes you to a useful and well-written page about how to protect yourself on the Internet.
Is this enough? No, it isn't.
First of all I'd love to know how many HSBC e-banking customers have actually clicked the link which sits where normally HSBC flogs its mortgages with a banner advert. Secondly I would really appreciate knowing if any of the recommendations are implemented by the few who do read it.
What should really happen is that on one login you should be taken to a concise online course on how to recognise and avoid phishing scams. Then, at the end of it, there should be a short questionnaire to judge how well the material has been absorbed. This should not be phrased as a test but as a teaser: "how well would you fare against the best phishing scams?". You would then be recorded as having taken the course and allowed to continue using your online banking.
How much effort could this be? Not much judging by the amount of effort put into the automated mortgage calculators or presentations about the latest financial products.
Why do banks not do it? Simple, if you read the fine print on your e-banking contracts it invariably says something along the lines of "if you hand your e-banking details to third parties, willingly or unwillingly, you are responsible for it".
End of story: an online course costs the bank money, you being defrauded doesn't.
Posted by arrigo at August 25, 2004 01:37 AM