Software to Spot 'Phishers' Irks Small Concerns

The Wall Street Journal

Software to Spot 'Phishers' Irks Small Concerns
By RIVA RICHMOND
December 19, 2006; Page B1

(snip)

IE7 has a security feature that will turn Web-address bars green and display owners' identities when consumers visit secure sites from businesses verified as legitimate. The color change will be a boon for consumers, who have been barraged in recent years with "phishing" scams designed to lure them to fake versions of popular Web sites, like eBay or their bank, to filch their account numbers. The hope is that the program will help reduce fraud, lift trust and boost e-commerce.

But sole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S., according to 2003 and 2004 tax data from the Internal Revenue Service, though it isn't clear how many are engaged in e-commerce.

(snip)

Microsoft says green shouldn't be considered a seal of approval, but rather a sign that the site owner is a legitimate business. The display of company names in the bar will allow consumers to confirm they're on the site they intended to visit. But Ms. Murphy and others say people will likely think green signals "go," particularly once they start using Microsoft's related Phishing Filter, a free, optional service for online shoppers that turns address bars yellow on suspicious sites and red on confirmed phishing sites. The Phishing Filter was made available Oct. 18 to current XP users with the IE7 browser.

(snip)

The new certificates, called extended validation secure-sockets-layer certificates, or EV SSL for short, are affidavits from a certificate authority both that private data are being encrypted and that the business operating the site has been confirmed as real. By contrast, current SSL certificates -- the technology that encrypts data and puts a small lock on visitors' browsers -- can be obtained with little more than a credit card and are considered ripe for abuse by con artists.

(snip)


URL for this article:
http://online.wsj.com/article/SB116649577602354120.html (subscription)

They still haven't figured out how to separate incoming cookies (all or nothing still) the phishing filter has NO memory, so it rechecks the same sites over and over again. It takes too long to check sites, and still delays site load times. And it reports "This is not a reported phishing site".

Why does it have to be reported to work?

A band aid for the stupid.

I've had phishers and they're easy to spot they ask for your banking/personal details. You don't give em out like that even if they look official; you go direct to PayPal or your bank etc etc to sign up first (and you do not store the details on your computer)

Also ...

How long before the first hack to get round the colour change happens?

Just need a few properly "validated" sites to bait the hook with.

I too know how to recognise phishing attempts, but sadly there are way too many people out there who can not or just plain will not learn. I just watched a segment on a bloke who over a three year period has spent over three hundred thousand of his own and other people's money, to retrieve his "Nigerian Inheritance". I figure this has to be in the face of at least half a dozen "expose the scammer" segments a year, which he or one would think at least one of the people he convinced to back him should have seen at least once in that period.

Some people are just too plain stupid and greedy to be allowed to handle money full stop. And I have absolutely no sympathy for them when they blissfully give it all away in the hope of finally making that big killing. I might have some sympathy for their kids, or others their actions might have hurt, but I have none for the so called "victims" who refuse to accept the old adage: "If it sounds too good to be true, then it almost certainly is." and/or ignore multiple attempts (MSM, website and direct mail) to educate them as to the existence and dangers of phishing, before blithely handing out their most personal details to complete strangers.

By all means prosecute the hell out of the scammers if they can be located. But since it is plainly obvious (from the many "sombody should do something about these people" complaints) that these "victims" expect 'cradle to grave' nannying, give them what they want. "Victims" of such scams should have all of their financial and legal affairs manged by a competent person for the remainder of their lives.

until I watched a news segment a few weeks ago about how many still send money to Nigeria to get their "inheritance" from a long lost relative..

you will be burnt.

"A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects." - Lazarus Long, as copywritten by Robert Anson Heinlein.

No man can become and expert in all fields, however it most certainly behooves him to get at least a passing knowledge of what's happening "under the hood" when his life is at stake. How hard is it to learn (and avoid): a short list of keywords "Nigerian", "gold", "diamonds", "oil", "inheritance"; to recognise any offer of a return in excess of the going market rate for investment accounts; equally: big bucks for a small service; and of course the oh so altruistic, "Please go to the place I direct you and enter your most personal, secret financial details.

And for those who can't get their heads around the idea of learning these things for their own safety, would be well advised to know that sometimes the easiest mark in the world is the bloke trying to empty your pocketbook. IF you recognise what he's trying to do to you before he does it.

"If you bet on human greed and stupidity, you won't be wrong too often"

perhaps apocryphally attributed to PT Barnum

"It is morally wrong to allow suckers to keep their money"

--MAB

The legit messages from my Ebay, Paypal, bank and credit card accounts know my real name-I am addressed by that name in my emails. These also have copies of legit messages on my account page. So when I get a phishing email I have fun.
User ID: liarliar
Password: pantsonfire
Name: george bush
Address: 1600 Pennsylvania, etc.
Credit card expiration date: Jan, 09
PIN # 0666
Phone: 888-622-0117 (FBI Fraud hotline)
You get the idea (use your own variations)

I figure if these clowns' computer databases get filled with phony info, it'll make it harder for them to figure the real data from the idiots that respond with their actual info.

> IE7 has a security feature that will turn Web-address bars green
> and display owners' identities when consumers visit secure sites
> from businesses verified as legitimate.

Like most Microsoft features, it'll be hacked. Or it just
won't work correctly of its own accord.

And so, some large number of persons will be bagged by
scammers when they were *SURE* they were at a valid
website 'cause IE7 told them so.

You can make book on this.

Tesha