Home / Blogs

Fight Phishing With Branding

John Levine

Phishing, stealing personal information by impersonating a trusted organization, is a big problem that's not going away. Most antiphishing techniques to date have attempted to recognize fake e-mail and fake web sites, but this hasn't been particularly effective. A more promising approach is to brand the real mail and real web sites.

In the physical world, banks have marble counters, vaults with heavy steel doors, and other physical objects that are hard to fake. A building that looks like a bank probably is a bank. But on the internet, any random $2/mo web host or botted PC can host a web site that looks exactly like a real bank's web site, and can send spam that looks exactly like a real bank's e-mail. Given that the number of phishers and botted PCs greatly exceeds the number of real banks, it's not surprising that the bad stuff pops up faster than we can swat it.

For the past two years, web browsers have supported "green bar" SSL certificates, which are in effect an assertion by whoever sold the SSL certificate that they have verified that certificate holder really is who they say they are. (This increased level of scrutiny is actually about the same as all certificate vendors originally required, but that horse left the barn some time ago.) If we can train users to look for a green bar and distrust web sites without them, it might help them avoid being phished. In effect the green bar is a brand for a legitimate web site.

The green bar is only practical because there is a cartel of SSL vendors who all agreed to add green bar certs with the same rules and approximately the same price. What can we do where there isn't a cartel, like e-mail?

My advice would be to allow multiple brands. As a concrete example, Vouch by Reference (RFC 5518) provides a way for an organization to list the domains whose signed mail they certify. The current version of VBR only describes the way to determine whether a message is certified, but it would not be hard to extend it so that each certifying organization could publish a logo image that a mail program could display in a hard-to-forge way, e.g., in a reserved part of the mail window.

Our standard example is that the FDIC, the government agency that insures banks in the US, could publish VBR records for the domains of of its member banks. Then if the banks sign their mail and use VBR, a mail program that checked the FDIC's VBR list could display the familiar FDIC logo when the message appears. Other phish targets could similarly band together to have a trade association or regulator vouch for them. Just as web browsers come configured with a modest sized list of trustworthy green bar signers, mail programs would need a list of credible VBR certifiers, but the extra level of grouping that VBR provides would make the list manageable, e.g., one entry for all the banks in each country, rather than one entry per bank.

To make this effective, consumers will also need to remember to look for the logo, but brand marketing is a standard business practice, particularly when it can piggyback on a brand like the FDIC's that's already well known in the offline world.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybercrime, Security, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Bank domains Daniel R. Tobias  –  Jun 09, 2009 4:23 PM PDT

If banks would consistently use their normal domain, instead of lots of silly marketing gimmick domains, there would be more chance people could recognize and distinguish their real mail and websites from impostors.  Instead, for instance, Citibank uses citibank.com, citi.com, citicards.com, and a bunch of others.

It's even more complex.... Michael Hammer  –  Jun 12, 2009 9:52 AM PDT

It's even more complex because Banks (and other organizations) outsource marketing and other functions to 3rd parties. In many cases it is hard to match up the brand with the Mail From domain with the From domain. To make it even worse there may be "legitimate" links to yet other domains (for example surveys). I don't think the average email user could follow the logic (assuming they are willing to even try) and determine the risk without falling on the floor in convulsions.

Anonymous businesses John Klensin  –  Jun 10, 2009 11:11 AM PDT

In addition to the advantages of legitimate enterprises minimizing the number of domains they use, rather than inventing new ones for every promotion, it seems to me that there is little or no excuse for a business that is sending email to promote a product, or running a web site that is trying to sell something, to hide its identity or make contact information secret or inaccessible.  I'm very much in favor of privacy options for individuals using the network, but, no matter how many surveys ICANN runs about whois accuracy, as long as they and the various registrars and web hosting firms permit entities to do business under domain names whose ownership is secret and not authenticated by anyone, they are both part of the phishing and malware problems and profiting from them.

I'm not against the VBR suggestions John makes above and/or some other ideas, but it would be very useful to use the tools we have first.  By permitting companies (legitimate and otherwise) to hide behind concealed-identity registrations ("proxy" or otherwise) we defeat those tools and, ultimately, weaken other name-validation and name-certification systems.

I agree that the registrar race to John Levine  –  Jun 10, 2009 1:39 PM PDT

I agree that the registrar race to the bottom was an unfortunate mistake, but I don't see any realistic hope of putting that genie back in the bottle and getting registrars to know their customers.  Partly that's because of ICANN's institutional ineffectiveness, partly it's because of the small but very vocal anonymity absolutist lobby who are defending the rights of what appears to be an entirely hypothetical set of people who desperately need anonymous domain registration but seem OK with the lack of anonymous versions of everything else you need to work online.

Please assume that I was making two John Klensin  –  Jun 12, 2009 12:53 PM PDT

Please assume that I was making two separate suggestions.  One is the one you identified — getting registrars to take at least some responsibility for authenticating their customers.  In principle, that actually should be possible: ICANN has contracts with registrars, a mandate to ensure accurate contact information, and big claims that they are committed to Internet security (or at least big budget — we were told last week that 20% of their impressive total budget goes into security).  In practice, they could presumably make such a change only bottom-up.  And "bottom-up", in this case, would require the approval of the registrars --including the bottom-feeders whose business models depend on these problematic behaviors.  Calling that "institutional ineffectiveness" rather understates the problem, but that aspect of the problem isn't going to get fixed with ICANN as we know it.

But the other part of the suggestion depends on the observation that I've never heard even the folks you characterize as "anonymity absolutists" make a serious claim that I should be able to run a business that offers things for sale to others, take their money and/or ask them for personally-identifiable information to facilitate such a sale, _and_ be anonymous.  Asking a registrar to not accept registrations with hidden identity information, and insisting that "whois" records not point to hidden identity information, without certification from the registrant that they are not using that domain to conduct business, is a rather different situation from asking the registrar to actually authenticate the registrants or from cutting off individual-use anonymous registrations.  That wouldn't prevent the bad guys from lying about their identities or contact information, but that act is generally considered to be criminal behavior if it is done in conjunction with, e.g., selling things or collecting funds.  Today, registering in a way that keeps one's identity and contact information secret appears to be perfectly legal in most contexts.

Forcing the bad guys to break existing and well-tested laws (not just fuzzy and weak anti-spam or hastily-written "cyber-something" statutes) seems to me to be A Good Thing.

I'm pushing on this, not because I believe that VBR is a bad idea, but because the use of VBR as you have described it basically sets up yet another unrooted PKI.  The model depends on trade associations or regulators certifying their members, which is fine, but there are lots of those.  That means fairly large cert stores in your hypothetical mail client (I don't see that as a problem except for small portable devices, but there are a lot of those) but, more important, it means presenting end users with the equivalent of "the sender of this message has been vouched for by the 'Big Organization of Growing Ubiquitous Systems', do you want to accept the certificate?" messages.  And we know exactly how typical end users respond to those messages and how far those arrangements get us.

One could assume that BOGUS would never show up as a certifier/voucher or that no one would take them seriously, but, if the absence of VBR indications became significantly helpful in identifying phishers, that assumption would be inconsistent with our experience in the marketplace… with your observation about registrars rushing toward the bottom being part of that experience.

And, of course, that assumes not only that the certification is done but that MUA implementers support yet-another message preference-determining or safety-indication system, a significant new one of which seems to appear every six or nine months. 

I'd like to see us pushing to see how existing mechanisms can be made effective, rather than deploying ever more mechanisms that will protect the more alert users for a while but that ultimately rest on mechanisms that have already proven to be largely ineffective in practice and at scale.

Bad guys already break the law John Levine  –  Jun 12, 2009 3:18 PM PDT

I've sat next to people from the EFF who say that anyone should be able to register a domain with no identification.  They'd probably be OK with a promise from the anonymous registrants not to use their domain for business, but given that the bad guys already are breaking laws all over the place they'll just lie.

A lot of security systems are designed on the implicit assumption that most people will behave themselves and the bad guys will be handled as exceptions. That's a poor assumption in a world where 95% of mail is spam, and the majority of domains are owned by speculators.  If you can set up a domain in two minutes, but it takes two days to turn off a phish site (those are realistic numbers) there's no way to keep up with them. That's why I want a way to slow down creation of things that look like familiar businesses.

Slowing down creation of legitimate businesses John Klensin  –  Jun 13, 2009 6:18 AM PDT

A lot of security systems have also been designed on the assumption that the bad guys are stupid and/or not particularly determined to accomplish their goals, i.e., that, if inconvenienced, they will move on to other careers or at least other neighborhoods.  In recent years, those assumptions have been repeatedly demonstrated to be false in the spam case: receivers who are sophisticated manage to shift a higher percentage of the received spam (and phishing attacks) to those who don't, but the total amount sent just keeps going up.

In that context, I'm concerned that your "branding" approach will be only a temporary, and then small, inconvenience to the bad guys.  If the technique is even slightly effective, criminals will either find branding/vouching agents who will certify almost anyone (and specifically other criminals) for a small fee or who, possibly for other considerations, will certify first and collect credentials and fees later — just as they have found DNS registrars who behave in the same ways.  Or, if that does not work, they will set up their own, since there are no restrictions at all on setting up a branding organization with a fancy logo.  They would not have even the barrier to get an ICANN registrar agreement or to work with someone who has one, a barrier that has shown no evidence of preventing bad behavior.

In the process, you put another barrier in front of those who are trying to to create legitimate businesses on the Internet.  That, in turn, tends to create more concentration of businesses (signing up with AmazHooBay stores permits one to use their branding and certificates rather than paying someone to issue a certificate to you directly and convincing them that you are authentic) and a new way to victimize the unwary (unless it is in a regulated industry, I'd expect legitimate certifiers to require background checks, bonds, etc., for new businesses — maybe appropriate, but probably costly-- while less scrupulous ones would see a business opportunity for low-priced certification).  That isn't desirable in this economy.  It might be worthwhile if it would be significantly effective long-term, but I don't think the evidence points that way.

Your bank analogy works as well as it does because it is a regulated industry with a well-known trade association/ regulator.  Even then it doesn't work especially well because there are financial institutions not insured by the FDIC — notably credit unions (even federally insured ones) in the US and all of the institutions outside the US.

Put enough certifiers into the mix and we are back to where we started: certificate management overwhelms the typical user; those of us who can and do manage those things carefully and with a high degree of sophistication are better protected from a threat that is causing, at most, inconvenience today (i.e., the number of phishing attacks to which you or I fall victim does not go down at all); and those who less sophisticated about these things get to sift through an increasing number of logos and certificate assertions (or incur the machine overhead to do so), but are not incrementally protected at all.

It's not intended as a panacea John Levine  –  Jun 13, 2009 7:02 AM PDT

You're quite right that yet another race to the bottom would be a poor idea. But I also don't think there's any need to brand all mail--it's only important for organizations that are likely to be phished.

I also don't want to make the mistakes that people made with SSL.  It is a strong countermeasure to a fairly exotic threat, snooping on traffic in transit, which was oversold to the point that everyone wanted an SSL cert because users thought it made a site "secure", but with no distinction among the signers. If branding is going to work, it needs strong brands, which means that MUAs have a small country-specific set of brands that are well known to the users.  It's true the FDIC insures some banks and the NCUA insures others, but that doesn't mean they can't do a joint vouching service, perhaps with both logos or just the FDIC's better known one.

This is a tough problem, but "call the cops if you see something illegal" is way too simple, and I can tell you from conversations with actual cops it's essential to winnow down the damage so they can concentrate their limited resources on the worst.

First, when you get an FDIC-NCUA alliance John Klensin  –  Jun 13, 2009 8:29 AM PDT

First, when you get an FDIC-NCUA alliance agreement to do this, and to do it with a logo arrangement that cannot be faked well enough to confuse the casual user by someone sending out HTML pages, please let us know.

But, as I'm sure you are aware, NCUA charters only "Federal" Credit Unions, not the many state-chartered ones.  I don't know whether their relationship with the state-chartered ones that they insure via NCUSIF would permit them to certify those organizations in this way, but I imagine it would be an interesting conversation.  And, while they insure what their web site describes as a "substantial majority" of the state-chartered institutions (95% according to http://www.nascus.org/state-cu-facts.htm), that leaves somewhat over 285 institutions (including those in Puerto Rico) in US States and Territories with affiliations to neither FDIC nor NCUA/NCUSIF and for which one would have to start tracking down individual state regulators and getting them to play.  Would be getting certification for only those that are members of FDIC or NCUA sufficient to make this worthwhile?  Perhaps, but, of course, the first step for the bad guys would be to concentrate on those other institutions, possibly with Nigerian-like "we just found an inheritance from your long-lost great uncle… please send your personal credentials" notes.

And this discussion is very US-centric.  As a probably-relevant example, I don't know whether, in the EU, one certificate would be required or one per member state.  If it is the latter, we would probably already be in the certificate overload area.

So, again, my question isn't whether this is useful.  It is whether it would actually solve a problem or merely cause the bad guys to quickly adjust their strategies and go back to business as usual.

As far as the cops and the "worst damage" is concerned, what I hear from the "real cops" I talk with is that phishing stopped being a cottage industry a long time ago, with those who are unsophisticated and unmotivated long gone.

# 10 Reply (max. reply level reached)  |  Link  |  Report Problems
I should have added that the banks John Klensin  –  Jun 13, 2009 9:33 AM PDT

I should have added that the banks and credit unions aren't the only targets.  I've seen phishing messages claiming to be from various brokerage and mutual fund firms, which implies that you would need to get yet another set of regulators or associations involved to make this effective.

We agree about MUAs needing to have small country-specific lists of well-known brands and associated certificates.  I just don't see a way to make those lists small enough to be useful without, e.g., very significant regulatory structure changes.

I also note that these are the same banks and other financial institutions who, with few exceptions, have been unwilling to exert even the minimal effort to enable user-selected, institution-specific, subaddresses for email correspondence.  While not nearly as sophisticated as a vouching/ certificate system, such systems, used intelligently, would stop an overwhelming percentage of phishing schemes in their tracks and would not be vunerable to faked certificates or criminal or sloppy certifying organizations.  The same institutions have also been unwilling to exert the slightly more significant effort required to send out signed messages using existing and well-supported systems (e.g., S/MIME).  Going to the web site of an institution with which I'm already doing business, authenticating myself on that web site and vice versa (yes, I understand how that system can be attacked today, but, if it is, I have other problems), and then downloading and installing a signing certificate specific to it would be less trouble --since all popular MUAs already come with the needed software installed-- than enabling and deploying an entirely new system.

So, good luck with this.

# 11 Reply (max. reply level reached)  |  Link  |  Report Problems
Branding is ok, but how? Alessandro Vesely  –  Jun 10, 2009 12:14 PM PDT

The task of aggregating all mail senders under a restricted set of certifiers looks quite hard. For example, if Hotmail came out with such a list, rejecting or silently dropping messages without the green bar, lots of ESPs would try and get certification from one of those certifiers in the list. However, we certainly don't want that behavior and would blame Microsoft if it did so. In addition, some don't like giant providers to dictate rules: Since the Internet is free and open, the list of certifiers should be globally agreed. Just let certifiers opened their business. What are the advantages of being certified? The green bar will not actually show up until there is a decent number of certified mail that uses it. Certifiers will starve… What if certified mail gets whitelisted from content filtering and greylisting? It may work as an incentive, receivers start seeing VBR-Info headers, and may end up trusting some of them.  Senders, however, don't know which certifiers their target domains trust, and cannot learn whether they have been whitelisted. It is senders who possibly pay for being certified, after all. Verified Hello?

I would also agree that whois should be better. However, it is often easier for a new horse to born than for a dead one to revive.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

24 Million Home Routers Expose ISPs to Massive DNS-Based DDoS Attacks

What Does a DDoS Attack Look Like? (Watch First 3 Minutes of an Actual Attack)

Joining Forces to Advance Protection Against Growing Diversity of DDoS Attacks

Why Managed DNS Means Secure DNS

Rodney Joffe on Why DNS Has Become a Favorite Attack Vector

Sponsored Topics