Solutions to net security fears

[Steve]

The BBC reports that banks are devising new online authorisation techniques to ensure that users are who they say they are, and are logging into the right places, following public concerns.

Fake bank e-mails, or phishing, and stories about ID theft are damaging the potential of using the net for online commerce, say e-business experts.

Trust in online security is falling as a result. Almost 70% of those asked in a poll said that net firms are not doing enough to protect people.

The survey of more than 1,000 people reported that 43% were not willing to hand over personal information online.

[The article]

[Moby-Dick]

sounds like secureID type login to me. Are "The Public" daft enough to fall for phishing ?

I guess it goes to show that a fool and his money are easily parted. There is an equal ammount of risk from skimming ( although isn't chip + pin supposed to get round that ? )

[Steve]

My take on things - phisers wouldn't keep trying if people out there didn't bite, so yes some of "the public" are "daft enough", or perhaps just unwitting.

[rajagra]

My take on things - phisers wouldn't keep trying if people out there didn't bite, so yes some of "the public" are "daft enough", or perhaps just unwitting.

Cost of sending out a million phishing emails: near nothing.
Profit if 0.01% are tricked into replying: a small fortune.
Punishment handed out by courts if by some miracle you are convicted: short prison sentence and a fine less than the amount you've stolen.
Phishing will continue as long as the expected rewards outweigh the expected punishment.
Same as with spamming.

It's easy to look down on victims of phishing, but online fraud could hit any of us. I'm paranoid about online banking. Imagine if you slightly mistyped the web address and were taken to a fake site that acted as a "portal" to the real site. Everything you type is forwarded to the real site, and everything it returns comes back to you. Everything looks normal, but the fake site is sitting there in the middle able to see everything sent. Encryption doesn't help - both paths would be encrypted, and only the fake site is privvy to both channels. Scary stuff. I'm amazed I haven't read about it being done. Maybe it's considered irresponsible to even mention the idea publicly. But if I've thought about it, you can bet a criminal has too.

[badass]

Cost of sending out a million phishing emails: near nothing.
Profit if 0.01% are tricked into replying: a small fortune.
Punishment handed out by courts if by some miracle you are convicted: short prison sentence and a fine less than the amount you've stolen.
Phishing will continue as long as the expected rewards outweigh the expected punishment.
Same as with spamming.

It's easy to look down on victims of phishing, but online fraud could hit any of us. I'm paranoid about online banking. Imagine if you slightly mistyped the web address and were taken to a fake site that acted as a "portal" to the real site. Everything you type is forwarded to the real site, and everything it returns comes back to you. Everything looks normal, but the fake site is sitting there in the middle able to see everything sent. Encryption doesn't help - both paths would be encrypted, and only the fake site is privvy to both channels. Scary stuff. I'm amazed I haven't read about it being done. Maybe it's considered irresponsible to even mention the idea publicly. But if I've thought about it, you can bet a criminal has too.

This is what the PKI on the internet is about. If you accidentally log into a faked site you will get a security warning saying the issuer of the site's certificate is not trusted. So unless you ignore the big security warning you get, you cannot access the site. It will not let you unless you trust the certificate publisher.