I just received yet another phishing email, entitled "Citibank Account Verification" By all appearances, this is a legitimate looking email: logos, copyrights, privacy statement and terms and conditions links...
...except of course that Citibank would never ask its customers to verify their accounts like this! The link in this email takes you to an unnamed IP address, with a page that asks you to enter all sorts of information, such as your ATM #, PIN, account #, etc.
Bruce Schneier (I think) wrote about our false sense of security online. When you walk into your local bank branch, you feel very secure in the fact that it really is a branch of your bank. The random ATM machines tucked away in odd corners of our public spaces can offer less legitimacy, but we trust them just the same. When you log into your bank online, however, how do you really know you're conecting to your bank? We trust the domain name system far too much.
In his August 15, 2004 Crypto-Gram, Bruce addresses the financial ramifications of phishing scams on financial institutions. It seems to me that financial institutions would do well to invest in Public Key Identity systems... generate a private key, then give all your customers the public key. Sign all their emails with your private key, and all their customers will know, know that they're really getting authentic email.
How much money will financial institutions have to lose before they realize they need to spur the solution?
Recent Comments