[pure-silver] OT Re: Re: Ebay
- From: "Justin F. Knotzke" <jknotzke@xxxxxxxxxx>
- To: pure-silver@xxxxxxxxxxxxx
- Date: Sun, 24 Dec 2006 16:07:07 -0500
On 24/12/06, Eric Nelson <emanmb@xxxxxxxxx> wrote:
Re: gmail, I have gotten some phishing/scammer/spam
emails from gmail and attempts to get the the source
of the email (i.e. the ISP) end at Google. I assume
that is why they may be prefered as a good place to
launch scams/spams, and phishing expeditions.
Google is limited in how they can stop people from spoofing their
addresses. MTA (Mail Transfer Agents) or SMTP servers often implement a type
of call back to the originating server.. So say someone attempts to spoof a
gmail address, if the receiving host implements this call back, it will
contact gmail's server and ask if this address does in fact exist.. Gmail
will then reply yes or no.. Now, this only works if the originating server
implements this function and this of course does not stop "joe jobbing"
which is when your address is used to spoof.. The call back only stops
phishers from using non existent addresses.
Spoofing which originates from Gmail itself probably exists, but I
suspect in very limited quantities and for not very long.
The best approach is to implement 2nd and 3rd factor security.. Ebay and
Paypal needs to implement this very quickly as the spoofing attacks to both
of those sites is very, very high.
Generally, hackers work on the principle of the "lowest hanging fruit".
Which is to say, they go after sites that have the weakest security
measures. It looks like Paypal is starting to implement these measures.. Log
into your account into Paypal, change your passwords frequently and notice
that they now have security questions.. I don't think however this uses true
2nd factor authorization (system which checks your user patterns and when
differs prompts the user to enter the answers to predefined questions)..
The phishers are so good, that in a recent meeting with security
architects at a large bank here in Canada, they said they now see phishing
emails that not only steal your password and username, but also log you into
the targeted site after they steal your credientials! Imagine, you are sent
to a fake website that looks just like the website you normally visit, you
enter your credentials, they steal them and then use them to log you into
the real website! This way, you never suspect a thing.
What's changed however, is in the past sites would claim these problems
aren't theirs since the breach didn't occur on their sites. This is no
longer the case. Websites are now responsible for phishing attacks to their
sites.
Ok, that all incredibly off topic.
J
--
Justin F. Knotzke
jknotzke@xxxxxxxxxx
http://www.shampoo.ca
Other related posts:
- » [pure-silver] OT Re: Re: Ebay
