- Related Stories
-
Week in review: The love of the game
November 12, 2004 -
Week in Review: Election takes center stage
November 5, 2004 -
Week in review: iPod rocks on
October 29, 2004
Phishing scammers typically send out an e-mail that appears to come from a trusted company, such as a bank or an e-commerce Web site. The phishing messages attempt to lure people to a bogus Web site, where they're asked to divulge sensitive personal information. The attackers can then use those details to steal money from the victims' accounts.
Companies are paying a hefty amount to fix phishing damage. In many cases, they make good on their customers' losses. Companies are also spending money to educate customers about fraud prevention, and the cost of polishing up a tarnished brand is hard to estimate.
As part of that effort, banks are looking to bring down the number of phishing attacks by adopting two-factor authentication, which would require people to produce two forms of identification, according to Microsoft. The company's chief security strategist, Scott Charney, said that companies had failed to adopt the technology as fast as he would have liked.
"We haven't had as much adoption as you would hope for," Charney said at the Microsoft IT Forum in Copenhagen. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."
Microsoft has been focusing a lot on security, as well as coming under a lot of security scrutiny. This week, three more vulnerabilities were found in version 6 of Internet Explorer. That brings the total number of IE vulnerabilities disclosed in the past two months to 19, including eight flaws fixed by Microsoft during its October patch cycle.
The latest flaws were found by two different researchers and could be used together to allow malicious content to bypass a mechanism in Microsoft Windows XP Service Pack 2 that alerts people about potentially harmful programs. The third vulnerability could be used to overwrite the cookies of a trusted site to hijack a Web session, if the site handles authentication in an insecure manner.
later one we all knew, so no surprises there. As far as phishing
goes though, I think e-mail providers should do their part to
help prevent phishing by making spoofing email addreses a lot
harder. For instance, at the present, spoofing your email address
is as simple as downloading one of hundreds of the free
programs, or taking ten minutes to write a simple perl script (or
whatever language they want to use; perl is just the most fun).
Then your victem has a nice little e-mail in their inbox from
whoever@wherever.whatever you want. For instance, paypal. To
prevent this, the email providers should AT THE VERY LEAST
mark all suspected spoofs as just that.
-Charre