Inside Risks 140, CACM 45, 2, February 2002
Oldtimers remember slashes (/) through zeros [or through the letter O where there was no difference] in program listings to avoid confusing them with the letter O. This has long been obsoleted by advances in editing tools and font differentiation. However, the underlying problem of character resemblance remains, and has now emerged as a security problem.
The Homograph Attack weiterlesen
Inside Risks 178, CACM 48, 4, April, 2005
Two-factor authentication isn’t our savior. It won’t defend against phishing. It’s not going to prevent identity theft. It’s not going to secure online accounts from fraudulent transactions. It solves the security problems we had ten years ago, not the security problems we have today.
Two-Factor Authentication: Too Little, Too Late weiterlesen
Financial Cryptography, 2005
Modeling and Preventing Phishing Attacks weiterlesen
A variety of computer networks are vulnerable to so-called stealth attacks. While there are many types of stealth attacks, they all have one thing in common (which is the very reason, of course, for their name) – the attackers are hard to detect. In some cases, it is even hard for a victim to determine that he was attacked – days or weeks may pass before this becomes evident. By then, it may be too late, as in the meantime, the attacker may collect and even modify information that was not intended for him. The attacks can be mounted against both wired and wireless networks, but the relative ease with which they can be used to attack users of wireless networks poses a particular threat within a variety of settings, including public hotspots. Moreover, stealth attacks pose a particular threat in the context of identity theft. A particular type of stealth attack we describe herein is the so-called “doppelganger window attack”. This can either be mounted in a similar fashion as the typical phishing attack is, but poses a greater threat than current phishing attacks. This is so since the doppelganger window attack defeats traditional methods for mutual authentication, which would otherwise have been a meaningful defense against phishing. We describe a new security technique, delayed password disclosure, that provides security against doppelganger window attacks. It can be based on any known method for mutual authentication, and its security can be proven to be the same as that of the underlying method – in addition to security against the doppelganger window attacks.
Stealth Attacks and Delayed Password Disclosure weiterlesen
A man was arrested Monday for allegedly setting up a phony Internet portal site to lure victims into giving personal data, an official said. Police said it was Japan’s first arrest linked to a form of identity theft called phishing.
Man Charged for Trying to Steal User Data weiterlesen
Internetbetrüger haben einen neuen Versuch gestartet, um an Kontoinformationen von Bankkunden zu gelangen. Bei dem jüngsten Angriff stehen Nutzer des Online-Banking der Sparkassen im Visier. Phishing-Attacke auf Sparkassenkunden weiterlesen
It’s harder to pharm than to phish, but recent incidents prove that some hackers don’t mind the extra work.
The looming threat of pharming weiterlesen
Rund 3000 aktive Phishing-Seiten machte die Anti-Phishing Working Group für den Monat April aus. Damit wurde zwar ein leichter Rückgang gegenüber dem Vormonat verzeichnet, aber die Qualität der Phishing-Attacken scheint sich zu ändern. Zu diesem Ergebnis kommt zumindest Sicherheitsspezialist Websense , der das Basismaterial für die Anti-Phishing-Working Group liefert.
Phishing: Kleine Banken geraten zunehmend ins Visier weiterlesen