Thoughts on Phishing
Similar to the theme of my previous post (one year ago, shame on me), I felt that the world had moved on to what I’d call second generation Phishing. Phishing 2.0?
Previous iteration of Phishing had victims visiting bogus websites but the 2.0 version acts as a proxy so that your first transaction does go through (say if you want to check your bank balances). What it does then is to silently steal your login & password. No word if any malware boasts that they are successful (Ha! In your face! Victim!)
TAC messages are used by some banks to prevent this but nothing solid is really in place to prevent a proxy Phisher from asking for it anyway. When the malware / Phishing website has your trust, nothing will stop it.
So it occurs to me that Phishing extends to mobile apps as well. Speaking to industry players in the mobile app development world and IT Security guys, it seems seldom does a company (banks, cinemas, airlines etc) implement mechanisms to identify the integrity of the mobile app talking to their servers.
We have seen SecureWords (those little pictures or words you select during registration) that pops up before you login, to tell you the company is trusted and is not someone else. But nothing to tell the company that the application is their own.
In my ramblings to my colleagues I always challenge why is it so hard to develop some hashing functions that gets passed along to the server to say “yep, I’ve not been modified or imitation in any way” (simplifying it greatly just to prove a point, the detailed steps is probably too technical).
I feel there’s lots more that can be done both on education and technical implementation to deter Phishing, but I’m from the camp that believe that even if a user is not educated (I always use my grandma in presentations, sorry Grams), the technical controls should prevent it. That’s called serving the 18 to the 80.
Just to share something recent: When I was registering this address, I was also paying my income tax. The first website I went to was htp://www.lhdn.gov.my. Now imagine my surprise that it’s actually for sale. The official site is http://www.hasil.gov.my. Now it’s income tax filing season, if I can make that mistake, what is there to stop me from registering the site and use it to Phish for login credentials?