Wisdom from the 42nd Page

On the forty-second page of “Security Engineering: A Guide to Building Dependable Distributed Systems” Cambridge University security engineering pioneer Ross J. Anderson wrote (some emphasis added):

upgrade' to log on to the bank's website and authenticate themselves using a card number and an ATM PIN[739]. Meanwhile a marketing spam from the Bank of America directed UK customers to mynewcard.com. Not only is spam illegal in Britain, and the domain name inconsistent, and clickable links a bad idea; but BoA got the certificate wrong (it was for mynewcard.bankofamerica.com). The 'mynewcard' problem had been pointed out in 2003 and not fixed. Such bad practices are rife among major banks, who thereby train their customers to practice unsafe computing—by disregarding domain names, ignoring certificate warnings, and merrily clicking links[399]. As a result, even security experts have difficulty telling bank spam from phish[301].

But perhaps the worst example of all came from Halifax Share Dealing Services, part of a large well-known bank in the UK, which sent out a spam with a URL not registered to the bank. The Halifax's web page at the time sensibly advised its customers not to reply to emails, click on links or disclose defaults—and the spam itself had a similar warning at the end. The mother of a student of ours received this spam and contacted the bank's security department, who told her it was a phish. The student then contacted the ISP to report abuse, and found that the URL and the service were genuine—although provided to the Halifax by a third party[842]. When even a bank's security department can't tell spam from phish, how are their customers supposed to?

2.4.6 Trusted Path

The second thread in the background of phishing is trusted path, which refers to some means of being sure that you're logging into a genuine machine through a channel that isn't open to eavesdropping. Here the deception is more technical than psychological, rather than inveigling a bank customer into revealing her PIN to you by claiming to be a policeman, you steal her PIN directly by putting a false ATM in a shopping mall.

Such attacks go back to the dawn of time-shared computing. A public terminal would be left running an attack program that looks just like the usual login screen—asking for a user name and password. When an unsuspecting user does this, it will save the password somewhere in the system, reply 'sorry, wrong password' and then vanish, invoking the genuine password program. The user will assume that he made a typing error first time and think no more of it. This is why Windows has a secure attention sequence, namely ctrl-alt-del, which is guaranteed to take you to a genuine password prompt.

If the whole terminal is bogus, then of course all bets are off. We once caught a student installing modified keyboards in our public terminal room to capture passwords. When the attacker is prepared to take this much trouble,