Preserving the Internet Channel Against Phishers

Adam Shostack, August, 2005

Introduction

With the rise of "phishing" attacks, bank customers are becoming worried and confused by conflicting messages about the security and privacy of their online banking. Some security experts are publicly suggesting not banking online. Others compare it to an arms race, where users will learn to tolerate fake email scams and the depletion of their bank accounts like they've learned to tolerate viruses.

But customers have a choice of banks, and they have a choice of banking channels. The thing that no one wants is for customers to go back to the VRUs and call centers, or worse, storefronts. The costs are simply too high.

So how should banks use email to communicate with their customers? (This is not a sales pitch: This is a suggested road forward for institutions that are increasingly under attack by con-men and fraudsters.)

What Is Phishing

First, lets look at what phishing is. There are many technical answers, but the core of phishing is that people are drawn to a website, mistakenly thinking it belongs to a company that they trust. There are a couple of core elements here: The first is the phishing email. These can be bulk or targeted. Criminals use exactly the same mail merge technology companies use, and will insert any details they can: Name, address, account number (or last 4 thereof), SSN (or last 4), your logo or copyright statements, etc. All of this is designed to convince the user that it's ok to click on the link to visit the bank. That's crucial, because without that feeling that it's ok to click, the victim will not end up at the fraudster's site.

So there is where we must concentrate our defense. We need to prevent the victim from feeling that its ok to click on the link. But how? SSL--the little padlock--doesn't help. Anyone can buy a cert for cb.pharmphr33.supersecure.com if they operate that domain. It's easy. Almost anything you can do in an email, the fraudster can duplicate.

And so there lies the key. Use the several established channels you have in concert. Use the customer as an ally. Move them away from clicking links to selecting bookmarks.

The four steps:

  • No HTML email. HTML email opens all sorts of possibilities for hiding things. Train your users to expect short and simple messages, telling them that you have something important to tell them.
  • No links in email. Always refer to the bookmark you encourage users to create from their paper statements.
  • All your websites must belong to you, and show up under your domain. Do not acclimatize users to treat other URLs as yours. If you get your users used to sites with names like "cb.pharmphr33.supersecure.com," then you shouldn't be surprised that they don't get worried when they are phished there.
  • Fire people who violate these rules. Give a substantial finders fee to the first person who reports the violation. Give the money to both employees/whistleblowers and customers.

Consistency in following these rules will allow your users to develop habits that are hard to game. Failure to follow these rules leads to a continuation of the arms race. The casualties are your brand, your customers, and your online banking service delivery.

Earlier versions of this essay used the unfortunate word "training." The word carries way too much baggage because training your users is hard and expensive. My intent has always been that the institutional email would take on a recognizable, repeated form, and that form would be harder to spoof than the current emails my banks send me.

For your safety online please bookmark BigBank. We will never ask you to click on a link, or send you flashy email. We will send you short notes when we need to communicate with you, asking you to login with your regular bookmark. Because con men have gotten so good at pretending to be us, we will always be brief and to the point. If you have questions, our URL and phone number are always in your printed statements.

Earlier versions of this essay also used a title that was ineffective for selling the ideas herein. Those blog posts were: Don't Use Email Like a Stupid Person and More on Using Email Like A Stupid Person. The many insightful comments compel me to link to them. I've also added a section "What Phishing is," as I realized it was missing.