This week PayPal lashed out saying hosts do not do enough to fight against Phishing.
“Web-hosting services need to do a better job of taking down phishing websites. Some of the most well known hosting services are some of the slowest,” said Sullivan. “If the sites were taken down more quickly, fewer people would be taken in.”
I know we respond to all phishing issues in an hour or less. I don’t think the problem is really with hosts but education of the public. This education should be done by hosts, ISP, merchant providers and banks.
What do you think hosts could do to fight phishing? Would you be willing to give-up hosting features on your site to ensure that phishing would not happen?
It is scary.
March 31, 2007 6:49 pm
To me the most important is user education, self policing, and heavy criminal penalties.
anyway…
its funny that paypal would say that. because there is lots of things they could do themselves to stop this..
One is sitekey. there are other methods also.
Of course if we can have the site the host and the isp working together this would reduce it much more..
But it is also up the the end user to educate themselves.. Because even if all 3(site,host,isp) figure a good way to stop this.. The thief could always either call you by phone or send a letter to your home address…..? (Social-engineering.)
So this is what i do to make its life more miserable..
(I say “its” because i dont consider them human)
When i find a phishing/farming site which is trying to phish or pharm info out of me.. i give them false info..and tons of it.
and ill call a few friends and get them to do it also.. If everyone did this then the thief would be flooded with millions of false info forms.
“Would you be willing to give-up hosting features on your site to ensure that phishing would not happen?”
Depends..
would this be 100%, would it be unbreakable.?
chances are no….
So would we be giving up more freedom for a fake sense of security. Im not really down with that.
blogadmin
March 31, 2007 8:12 pm
I know that a few hosts have started to disallow software’s that are continuously attacked by phishing. Most of it is open source software that has been poorly secured that allows them to upload these phishing files.
Dr. Cossack
April 1, 2007 7:58 am
I think that the first and most important step is user education. Some people seem to turn off their brains whenever they go online, and they fall for things that I find insanely obvious (I need help transferring 15 MILLION $US through your bank account…).
I don’t think that the web hosts should get too involved with this, as I’m afraid it could slip and eventually remove other rights from users. For example, creating a parody website that isn’t intent on doing any wrong could be banned as it could be considered as a phishing means.
Christian
April 1, 2007 8:45 am
AAAh. i agree with that then…
Its like that formail script, who wants that on their servers….
It would also push the open source community to secure their software better.
Thinkreferrals
April 1, 2007 10:55 am
Here is a weird thought or two, call them lessons.
“DON’T CLICK ON LINKS IN EMAILS IF YOU DON’T KNOW THE SOURCE!!!”
“BANKS DO NOT SEND EMAILS ASKING FOR YOUR ACCOUNT DETAILS . . . EVER!”
“IF IT SOUNDS TOO GOOD TO BE TRUE, IT PROBABLY IS”
I mean, come on, “Send me $10,000 to get my daddy’s money out of the country”
How stupid do you have to be to send the money?
Matt
April 1, 2007 1:15 pm
Yes, as said before, education of the public is the most important. There’s really only so much Hosts and ISPs can do to help prevent Phishing Attacks.
First of all, Hosts need to monitor their clients accounts, to ensure no Phishing sites exist on it. But, it must be done without breaking the users privacy. They should possibly filter email coming in, and ensure the users finds out if the email is a possible fake or not (see what Google does with Gmail, has a little “banner” at the top of the email saying “This email may not be who it says it from. Click here to learn more”). But, of course, making such filters is time consuming and costly. That’s probably why most sites don’t do much against Phishing. In fact, Web Hosts and ISPs would probably need a team of more than 3 people to keep up with Phishing Attacks. “The Phishing Team”. :P Some ISPs might already do this, but I’m not sure about Web Hosts.
Soon we might need Hosts who offer dedicated servers and colocation to monitor sites on the server, since Phishing sites are most likely to slip through the radar cracks on their own server, than on shared hosting.
But, there’s still only so much Hosts and ISPs can do. Maybe Operating System maker should do something… Anti-Virus Software (I know Symantec Norton Internet Security 2007 comes with a Phishing Filter, only for IE, though). Etc.
Matt
April 1, 2007 1:18 pm
Yes, but most of the more popular open source software is secure… The thing you just need to look out for is less popular open source software and… client written software. Software people write themselves is usually not very secure, since people don’t know how to properly protect again attacks, XSS attacks, SQL injections, etc. Maybe BlueFur should have PHP Security Tutorials, or maybe I’ll write some on my blog. :P Or maybe, everybody should (that is, people who know how to secure their scripts). :P LOL.