PhishingPhishingRising to the challengeRising to the challenge

Amy MarascoAmy MarascoMicrosoft Microsoft

How Phishing attacks workHow Phishing attacks work

Branded email message that looks Branded email message that looks like it comes from a familiar businesslike it comes from a familiar business

Request you to login in to your account to Request you to login in to your account to validate account detailsvalidate account detailsURL that points to fake site, even though URL that points to fake site, even though the text may look real.the text may look real.

Fake site, branded to look just like the Fake site, branded to look just like the real one.real one.Phishing site takes your username Phishing site takes your username and password and then uses them to and password and then uses them to defraud you.defraud you.

Threats to Online SafetyThreats to Online SafetyThe Internet was built without a way The Internet was built without a way to know who and what you are to know who and what you are connecting toconnecting to

Internet services have one-off Internet services have one-off “workarounds”“workarounds”Inadvertently taught people to be phished Inadvertently taught people to be phished

Greater use and greater value attract Greater use and greater value attract professional international criminal professional international criminal fringefringe

Exploit weaknesses in patchworkExploit weaknesses in patchworkPhishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR

Missing an “Identity layer”Missing an “Identity layer”No simplistic solution is realisticNo simplistic solution is realistic

Most people re-use username and Most people re-use username and passwords on multiple sitespasswords on multiple sites

Phishing & PhraudPhishing & Phraud

New Phishing Sites by MonthNew Phishing Sites by MonthDecember 2004 – December 2005December 2004 – December 2005

Dec04

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05

7,197

4,6304,367

5,2425,2594,564

4,280

3,3262,8542,870

2,6252,560

1,707

Source: http://www.antiphishing.org

Need Layered DefenseNeed Layered DefenseStop users clicking on URL’s in Stop users clicking on URL’s in phishing emailphishing emailDetect phishing sites and when Detect phishing sites and when possible prevent users clicking on possible prevent users clicking on themthemWork with the industry to move away Work with the industry to move away from username and passwords as from username and passwords as authentication mechanismauthentication mechanism

Improvements to Outlook Improvements to Outlook 1212

Improved junk email filtersImproved junk email filtersNo longer click on URL’s on emails in No longer click on URL’s on emails in the junk email folderthe junk email folder

Improvements in IE7Improvements in IE7

Phishing Filter:Phishing Filter: comprehensive anti-phishing comprehensive anti-phishing serviceserviceWarns if site exhibits suspicious behaviorWarns if site exhibits suspicious behaviorBlocks known phishing sitesBlocks known phishing sitesInstant protection via page scan and online Instant protection via page scan and online serviceservice

High Assurance Certs:High Assurance Certs: accountability for secure accountability for secure sites sites Much higher bar for granting certificatesMuch higher bar for granting certificatesClear identification that site has stronger Clear identification that site has stronger certificatecertificateIndustry-wide initiativeIndustry-wide initiative

InfoCardInfoCard

Simple user abstraction for digital identitySimple user abstraction for digital identityFor managing collections of claimsFor managing collections of claimsFor managing keys for sign-in and other usesFor managing keys for sign-in and other uses

Grounded in real-world metaphor of physical Grounded in real-world metaphor of physical cardscards

Government ID card, driver’s license, credit card, Government ID card, driver’s license, credit card, membership card, etc…membership card, etc…Self-issued cards signed by userSelf-issued cards signed by userManaged cards signed by external authorityManaged cards signed by external authority

Based on series of WS* specifications Based on series of WS* specifications Shipping in WinFXShipping in WinFXRuns on Windows Vista, XP, and Server 2003Runs on Windows Vista, XP, and Server 2003

Implemented as protected subsystemImplemented as protected subsystem

SummarySummary

This is an industry wide problem This is an industry wide problem which we can only solve together.which we can only solve together.

We need co-operation of all major sites to We need co-operation of all major sites to implement High Assurance Certificates implement High Assurance Certificates and InfoCardand InfoCard