Tuesday, July 19, 2005

Phishing without a computer

Johannes Ernst pointed me to an entry on David Cowan's (he's a VC at Bessemer Venture Partners) blog outlining a real scam he conceived and executed on the spur of the moment to illustrate to his wife why he invested in so many security companies.

As with all of the "identity theft" stories in the press, Cowan illustrates why these aren't computer problems, but societal or access problems which can happen any where, any time.

Kim Cameron points to a Gartner study (as reported by the Wall Street Journal) which reports survey data suggesting that "Internet Scams, Breaches Drive Buyers Off the Web." Actually, though, it's stories in media such as the Wall Street Journal which lumps all manor of crime into the "identity theft" category which drives people away from the web.

As far as I can tell, no one going directly to a bank on-line site (as opposed to clicking a weird link in their email) has ever lost a penny nor had their identity "stolen" nor been a victim of a scam (at least in regards to that transaction). Yet Cameron notes: "According the story, 77% of concerned online-banking customers said they are using online banking services less frequently. More than 4% of those Internet banking customers concerned with fraud have abandoned online banking altogether."

People in the security community, of course, are quick to exacerbate the situation since they believe (wrongly, I feel) that it helps them sell more product. It's time for those in the IdM space - whose technology and livelihood are being dragged through the mud - to step up and begin the process of educating the public, the tech community, the analysts but especially the general press as to exactly where the problems lie.

The scariest thing about my online banking provider is that they provide two different levels of access security - one for personal banking customers (entirely web form based) and one for business banking (with a security certificate).

The other thing is that the bank only certifies the online banking service to work with Internet Explorer using non-compliant HTML and embedded javascript.

Of course, I can use the online banking services in Firefox with high security enabled by using a workaround and everything works perfectly, meaning all the fancy javascript they use (including the bit that stops you right-clicking on the page and viewing the source code) seems to only be there to be annoying, not for any real security reason.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]