We all don’t like spam. But when an e-mail from your bank turns out to be a phisher looking for your account information, it’s beyond annoyance. Over in the lab, we propose a clever idea for combating this stuff.
Thursday, August 24th, 2006
We all don’t like spam. But when an e-mail from your bank turns out to be a phisher looking for your account information, it’s beyond annoyance. Over in the lab, we propose a clever idea for combating this stuff.
Joel Nagy said:
Jenn, the idea we put forth was for identifying the sender of an email, not for login authentication. Does Bank of America provide some sort of security measure in emails they send you to let you know that they are indeed the true sender?
Joshua said:
BoA sends emails saying that you need to check your online cust. mail. You have to login to there website, thus getting the sitekey. They never email information except that you need to login.
mike mills said:
With your suggested system of email verification the second party must have your key.
Dual confirmation certainly is secure in communication.
With spam telephone callers I simply ask them if they have a password to talk to me! If they do not , I hang up.
This way I can use my old and favourite [and inadequate] password again “yoda” which hardly meets the standards of a modern password.
Most modern banks do not have an accessible telephone number so that you can telephone the branch to find whether a particular email or telephone caller is legitimate.
I suggest that you talk to your bank and tell them that unless they allow you to phone them, you will take your business elsewhere. I did . I can now phone the bank.
Now that the telephone has been dealt with I suppose that the next step is the regular post “snailmail” ! When the post office is paid to deliver unwanted and unsolicited physical mail to our mailboxes, is it any surprise to find that the same phenomenon is happening with electronic mail?
Adrien Lavoillotte said:
That should be slightly more complex though. Like passwords, people would tend to put the same image everywhere. As soon as there is a data leak (email address + picture) from one of the trusted sources, the recipients would be far more easily deceived than these days when they’re encouraged not to trust first.
To get it more secured, they should be educated to:
1. Customize their picture for each site in some way (handwriting the site name, watermarking)
2. Still not trust e-mail information, but only login requests
3. Type the url of the site, instead of clicking login links, which can also be easily faked
Managed Services said:
I’ve been working with email and specialized in spam a few years back. The implementation has to be easy (upload a picture, include it in all transactional emails). I think this is a really good first step. I can see spammers using a generic image of a car / beach, etc to try and cause more confusion.