- Related Stories
-
New phishing attack uses real ID hooks
May 15, 2005 -
Phishing attacks take a new twist
May 4, 2005 -
Caught in a phishing trap
November 17, 2004
(continued from previous page)
with their e-mail addresses as their login name, he said. They also require additional information for registration or password reminders, or use other security measures.
Have you been phished?
eBay is one online business that does not allow registration and password reminder attacks. The auction Web site stopped using e-mail addresses as user IDs before phishing became an issue, and it has taken other protective measures in its registration and password-reminder process, said Scott Shipman, senior counsel for eBay's global privacy practice.
"It is all designed to prevent the unauthorized disclosure of information, be it the simplest piece of information, such as whether or not that e-mail address or user id is actually a valid user ID on the site," Shipman said.
In eBay's case, the reminder feature for user IDs gives the same response, regardless of whether the e-mail address is registered with the site. "The language of the error message will not tell you whether or not it was a valid account," Shipman said.
What will foil the attacks?
Attacks work only if sites generate a different response depending on whether an e-mail address is registered with the site or not.
Designing a Web site to not leak information about users is what all site operators should do, the eBay executive added. "It is an example of a type of practice that is a best practice," he said.
Hostile profiling is only one way phishing messages are getting more targeted. Earlier this month, security researchers reported that stolen consumer data was used in phishing scams to rip off individual account holders at specific banks.
Jevans at the Anti-Phishing Working Group said that Blue Security's study highlights an emerging phishing threat, and agreed that online organizations should take steps to eliminate vulnerable registration and password-reminder features.
"I think the research is real. You can certainly code your site to not do that, and you probably should," he said.
See more CNET content tagged:
scammer, phishing, registration, e-mail address, margin
Look for "disposable e-mail address" services such as sneakemail.com or spamgourmet.com (there are several others. These are the two I use). The name "disposable" is misleading. This is actually the kind of address you want to give to your bank so that you know that only your bank can send to that address, and your bank doesn't send to any other address. Then you would know for sure when an email that claims to bwe from your bank is really from your bank.. There are several other ways to benefit from using multiple addresses, and the best known use is to reduce the damage spammers can do to you. It's easier to replace an address given to a few people than to replace an address you gave to everybody who ever needed to send you something. And addresses that are used a lot eventually need to be replaced when they get too much spam....
- Never use the same email address twice
- by hadaso May 26, 2005 5:52 AM PDT
- Never use the same email address for registering in different places. Or at least: use a dedicated address with services such as your bank or other financial businesses you work with. The recipient address is the only part of an email message that must be real for the message to reach you (the envelope-to address. Not the one in the message headers. It's the same as with snail mail: the address on the envelope must be correct if the mail is to reach you).
- Like this Reply to this comment
-
-
- replace an address
- by George Cole June 2, 2007 5:17 AM PDT
- http://www.analogstereo.com/buick_skylark_owners_manual.htm
- Like this
-
(4 Comments)Look for "disposable e-mail address" services such as sneakemail.com or spamgourmet.com (there are several others. These are the two I use). The name "disposable" is misleading. This is actually the kind of address you want to give to your bank so that you know that only your bank can send to that address, and your bank doesn't send to any other address. Then you would know for sure when an email that claims to bwe from your bank is really from your bank.. There are several other ways to benefit from using multiple addresses, and the best known use is to reduce the damage spammers can do to you. It's easier to replace an address given to a few people than to replace an address you gave to everybody who ever needed to send you something. And addresses that are used a lot eventually need to be replaced when they get too much spam....