Phishing for ideas…
Another day, another ridiculous “fool proof” phishing solution proposed. This time, with the added benefit of another bogus TLD. Not just any old TLD, though — a scamtastic $50,000 per registration TLD that puts the .mobi and .xxx debacles to shame! This time, it’s .bank being proposed. And why won’t it work? The same reason people are still getting scammed by random domains now. Nobody’s looking!
The scam URL will just go from chase.com.any.random.domain.ru to chase.bank.any.random.domain.ru — and it won’t make a damn bit of difference to anyone. From the Slashdot discussion, “Foolproof systems do not take into account the ingenuity of fools.” An ingenious solution was thrown down by bhmit1:
Instead of stopping phishing by preventing stupid users from doing stupid things, lets instead make it harder for the phishers to blend in with the other bank traffic. I’ll suggest (again) that every financial organization make a “catch a phisher” link on their page that provides a unique (so that phishers can’t build a list of the trojans) account number / login information that the intelligent users can request from the bank. The users will provide this red flagged account information to the phisher, who upon logging in a few times with these flagged accounts causes the banks to silently freeze other transactions placed from the same source until they can determine who’s account data has been compromised. You may also be able to keep the phisher connected enough to determine where they are located to assist with law enforcement. It’s something like a distributed honey-pot attack against the phishers that will make their job very hard very fast and quickly eliminate phishing attacks against organizations that implement this scheme.
I know I’d be more than happy to participate in such a system. It’d probably be a lot of fun too. I wonder if, for the all the alarmist belly aching banks do about this problem, any of them would be willing to try out something different.