ShareCube - antiphishing, antifraud bank solutions

Problems With Microsoft's Antiphishing Tool

Microsoft Corp has announced plans to release an anti-phishing tool. The new tool is similar to the one planned for release with Internet Explorer 7. Microsoft's best estimate is that the tool is 98% effective. It uses advanced logic to detect phishing sites. The problem is that it takes time to detect new attacks, enough time for phishing exploits to be effective.

Not to mention the privacy issues raised by sending Microsoft the URL of every page you visit...

read article.

eBay Inbox Cannot Protect Against Phishing

eBay has created Inbox, a web site where eBay customers can receive messages from eBay and each other. The high volume of eBay spoofs made email an impossible medium for business communications.

Maybe eBay has been able to accomplish as much as it could have hoped for with Inbox. However eBay spoofs continue unabatedly. In the period between March 1 and May 31, 2005, there were at least 89 distinct eBay phish attempts reported to various phishing reporting organizations. That's almost one per day. The actual number of exploits is likely to be higher than the reported number.

To phishers, Inbox is just another web page to be exploited (read article).

One-Time Passwords Can Be Defeated

Some banks are experimenting with one-time passwords to prevent password theft. The bank mails each customer a card containing a printed set of codes. To logon, a customer enters their PIN code (something they know) plus one of the codes from the printed card (something they have). This is known as two-factor authentication.

This scheme can be easily defeated... (read article).

Using Mobile Phone Text Messaging For One-Time Passwords

The National Australia Bank (NAB) will soon begin using one-time passwords. Their approach is to utilize mobile phone SMS messaging (text messaging) to auto-generate passwords and authentication codes. These codes can only be used once and are only valid for a limited period of time.

We think this approach is misguided... (read article).

The Problems With Biometric Authentication

One would think that on the Internet, your thumbprint, a retina scan, or a bit of your DNA would be sufficient to genuinely identify who you are. Maybe then we wouldn't need to remember a dozen or so account numbers and passwords.

Not so fast.

Biometric authentication has real problems when used on the Internet. (read article).

Drive By Phishing - How You Can Be Hooked Without Ever Replying To Email

A new wave of phishing attacks has appeared that is likely to unknowingly affect a large number of individuals. It does not require that you do anything more than preview and delete an email - something you do now with every single unwanted spam and potential virus that you receive in your inbox.

We call it drive-by-phishing.

The email you receive does not have to pretend to come from your bank or anyone else in particular. It could appear to be just any other spam or could be completely blank message. The email will contain the drive-by-phishing code written in VBScript, or Visual Basic Script. This language is supported on Microsoft Outlook, Outlook Express, and Internet Explorer. Other products use underlying Microsoft technology that is also vulnerable to the exploit, such as the DeepNet Explorer browser.

The problem is not with these tools, but rather with the default security settings on most systems. This document will describe how the exploit works and how to protect your systems.

Drive-by-phishing affects the hosts file on your system. This file is used as part of the domain name resolution logic. Normally, the file contains almost no entries although it is used in some special cases. Adding or changing an entry will redirect any domain name you enter to a scammer's web site. (read article).

A Troubling New Trend In Phishing - Spyware Automation

Increasingly, the largest threat to a consumer's on-line identity is not phishing email but rather the very spyware installed on their systems. Spyware doesn't just spy and steal information. It can act on behalf of its originator with automatic scripts that attack your accounts directly, from your own computer.

A new Trojan has been infecting systems turns system fingerprinting to their advantage. It uses a consumer's own system to attack their accounts. The Win32.Grams Trojan, also known as TrojanSpy.Win32.Small.bl, Troj/Agent-AF, and TROJ_GETEGOLD.A, currently only attacks e-gold accounts. Similar variations may surface that can target other accounts.

The Trojan collects your user id and password. It then opens a connection to the target account, either at the same time a consumer connects or at another time, and executes a keystroke script that automatically moves money out. (read article).