[dmarc-discuss] MLM and Header-From rewritting - the SMTPopen-relay analogy

Larry Finch finches at portadmiral.org
Mon Jun 9 10:49:00 PDT 2014


On Jun 9, 2014, at 1:18 PM, Murray S. Kucherawy <superuser at gmail.com> wrote:

> For the banks, there's a much simpler solution anyway. Banks should be
> S/MIME-signing all their customer-facing outbound mail, and a customer
> should know with 100% certainty that if they get a mail which isn't
> S/MIME signed with the bank's certificate, it's a fake.
> [...]
> 
> This is almost always suggested as an alternative solution to these problems.  How come it never actually happens?
> 
> My understanding is that (a) it's too hard for users to understand how to set it up and how to respond when problems occur, and (b) this isn't improving even though we come back to it time and time again, so (c) instead we continue to try to improve upon the invisible parts of the messaging infrastructure to provide that protection.
> 
> -MSK

I think that is the reason. Users for the most part are trusting. If an email says it comes from their bank they believe it. Most banks have gone to great lengths to make it easy to verify that a message really comes from the bank, such as including an account balance, or the last N digits of the account number. But if the message appears to come from the bank but doesn’t have verification data they don’t notice that it doesn’t and click on the link anyway. I’m pessimistic that anything can ever be done with the invisible parts to prevent phishing scams and spam, because all the message has to say it is from the bank and enough users will be fooled by it to keep the cyber criminals in business. Some phishing emails even attempt to spoof the bank verification by showing the FIRST 4 digits of the account number, which, of course, is unique for each issuer. See Brian Krebs’s blog (http://krebsonsecurity.com/) for just how big a business cyber crime is. It isn’t going to give up its multi-$billion revenue stream easily. 

User education (if that is possible) is the best defense. 

--
Larry Finch
finches at portadmiral.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140609/0e7fceca/attachment.html>


More information about the dmarc-discuss mailing list