CircleID

Given all the phishing fears around, a lot of people are not very inclined to trust any email at all that says its from a bank.

Some banks deal with it in different ways ..

1. My wife has a citibank account, and her statement (the only email they're supposed to send her) is in a pdf that has a unique password that's assigned to her.  Phishers would have to already have phish data about a card before generating that password so it is not likely they'd go to the time and expense of phishing there

2. My bank (hsbc) just doesnt send email - they have a closed webmail interface on their ebanking site, where just two entities can send email that each other can see - hsbc support staff through their ticketing system, and me. Works just fine for me, I'd say.

On the matter of HSBC, that would explain the tactic used in the latest HSBC-phish I received.

"You did not read our internal security message that have been dispatched last week. You have received an important internal message from our bank concerning your account status. You got this email due to the fact that all other ways of contacting you were either not specified or did not reach you. We strongly advise you to review the message as soon as possible. [...bogus link...]"

oh - hsbc also has this prominent banner on their homepage that warns you not to click on URLs you get in email ..

hmm.. this time they have a link to a short tutorial on basic internet security linked from there.

take a look at https://www.ebank.hsbc.com.hk to see what i mean.  its a javascript link so i cant post the url here :(

Some banks (Citibank is a good example) don't help the situation, since they insist on using a whole profusion of silly-marketing-gimmick domain names instead of logical subdomains of their main domain; this means that customers can never be entirely sure which links are legitimate.  If they were all in citibank.com, you'd know they're real, but instead you have to know that they also use citi.com, citicards.com, a bunch of other citi[something] domains, and also some less-obvious ones like (I think) accountonline.com.

First, for the best banking phish you've ever seen read this page: http://www.antiphishing.org/phishing_archive/04-19-05_BOA/04-19-05_BOA.html

It seems to me that MUAs and e-mail-aware security programs like A/V should be in the business of looking for HTML links where the body of the link is an HTML link that doesn't agree with the actual target. Not hard at all to write. I ought to nag Microsoft to put it in to Outlook Express pronto. 

Banks should simply not include links in their communications. If a bank or other institution must communicate via unencrypted email, they should simply say "visit our secure website for a message", with no link at all. If we have online banking we already know how to find the bank's website, don't we?

Also, isn't it high time that all online banking users received SecurID's when they open their accounts? The price per unit is extremely low now, and it seems like a reasonable precaution.

Agreed regarding the comment about bank customers receiving SecurID tokens. Identity management is a subject that is most often sorely overlooked in the financial sector when it comes to it's customers. Almost every person I know that works for a bank in a technical capacity carries a SecurID token, so the infrastructre is obviously in place. Why not extend it to the customers?

Also, banks require that users have browsers capable of encryption, so, why not require that they have e-mail clients that are equally capable? Signed and encrypted e-mail would go a long way to thwart this stuff, if you ask me, and the process to install a personal certificate is really not that complicated.

Is this necessary? I have installed ClamAV and Spamassassin on our mail server, the few phishing attempts that make it through Clam get stopped by the URL lookups in Spamassassin.

I do like the idea of SecureIDs, however. How about using the fancy microchip that's embedded in my bank card?

So you think email is the only channel phishes are sent over? :)

No, but that is what the article is about. I'm not sure what other types of phishing channels you are referring to… hacking the bank's home page is a different technical issue (has that been done yet?).

I agree that simply trusting the signature would be a way banks could prevent phishing.  Currently S/MIME is readily available, but a major OS manufacturer's prevalent use of “pretty” names rather than showing the mailbox address (which indicates the key selected) greatly weakens this solution.  DomainKeys also looks interesting in respect to offering real sender protections.  At least with a signature scheme, if there is a breach in security, there are fewer places that problems could occur.