Quote:
|
Originally Posted by Rick Latona
Like I posted above, I would advise against that.
|
Wrong -- If anything, that's the best means of defence against future attacks. A solution to phishing is posted below.
---------------------
Of course, there has to be a better answer to this problem, and five readers in the past week have suggested it. Forget Max Levchin's idea of using bounties. But let's embrace what was at the essence of Max's idea, which is enlisting millions of Internet users in the cause.
If the bad guys out-number the cops by 1,000-to-1, Internet users must outnumber the bad guys by 100,000-to-1 or more.
Fear of punishment won't deter phishing, yet that's all traditional law enforcement has to offer. It's fear of UNPROFITABILITY that will finally work.
The simple way to kill phishing is by making it harder for the phisher to make money from it. Right now, a phisher sends out a million e-mails and gets back 100 replies that yield positive data. There is almost no effort involved in sending out the e-mails after the first one, and the quality of the return data is very high. No wonder this is such a popular business!
Let's change that. If you get phishing e-mail, go the web sites and enter false data. Make up everything -- name, sign-on name, password, credit card numbers, everything. Instead of one million messages yielding 100 good replies, now the phisher will have one million messages yielding 100,000 replies of which 100 are good, but WHICH 100?
This technique kills phishing two ways. It certainly increases the phishing labor requirement by about 10,000X. But even more importantly, if banks and e-commerce sites limit the number of failed sign-on attempts from a single IP address to, say, 10 per day, theft as an outcome of phishing becomes close to impossible.
No bounties are required, no cops, no parallel webmail systems that force us to log-in to e-commerce sites when they tell us to. Phishing just becomes a very unprofitable business, which it should be.