phishing rising to the challenge amy marasco microsoft
TRANSCRIPT
PhishingPhishingRising to the challengeRising to the challenge
Amy MarascoAmy MarascoMicrosoft Microsoft
How Phishing attacks workHow Phishing attacks work
Branded email message that looks Branded email message that looks like it comes from a familiar businesslike it comes from a familiar business
Request you to login in to your account to Request you to login in to your account to validate account detailsvalidate account detailsURL that points to fake site, even though URL that points to fake site, even though the text may look real.the text may look real.
Fake site, branded to look just like the Fake site, branded to look just like the real one.real one.Phishing site takes your username Phishing site takes your username and password and then uses them to and password and then uses them to defraud you.defraud you.
Threats to Online SafetyThreats to Online SafetyThe Internet was built without a way The Internet was built without a way to know who and what you are to know who and what you are connecting toconnecting to
Internet services have one-off Internet services have one-off “workarounds”“workarounds”Inadvertently taught people to be phished Inadvertently taught people to be phished
Greater use and greater value attract Greater use and greater value attract professional international criminal professional international criminal fringefringe
Exploit weaknesses in patchworkExploit weaknesses in patchworkPhishing and pharming at 1000% CAGRPhishing and pharming at 1000% CAGR
Missing an “Identity layer”Missing an “Identity layer”No simplistic solution is realisticNo simplistic solution is realistic
Most people re-use username and Most people re-use username and passwords on multiple sitespasswords on multiple sites
Phishing & PhraudPhishing & Phraud
New Phishing Sites by MonthNew Phishing Sites by MonthDecember 2004 – December 2005December 2004 – December 2005
Dec04
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec05
7,197
4,6304,367
5,2425,2594,564
4,280
3,3262,8542,870
2,6252,560
1,707
Source: http://www.antiphishing.org
Need Layered DefenseNeed Layered DefenseStop users clicking on URL’s in Stop users clicking on URL’s in phishing emailphishing emailDetect phishing sites and when Detect phishing sites and when possible prevent users clicking on possible prevent users clicking on themthemWork with the industry to move away Work with the industry to move away from username and passwords as from username and passwords as authentication mechanismauthentication mechanism
Improvements to Outlook Improvements to Outlook 1212
Improved junk email filtersImproved junk email filtersNo longer click on URL’s on emails in No longer click on URL’s on emails in the junk email folderthe junk email folder
Improvements in IE7Improvements in IE7
Phishing Filter:Phishing Filter: comprehensive anti-phishing comprehensive anti-phishing serviceserviceWarns if site exhibits suspicious behaviorWarns if site exhibits suspicious behaviorBlocks known phishing sitesBlocks known phishing sitesInstant protection via page scan and online Instant protection via page scan and online serviceservice
High Assurance Certs:High Assurance Certs: accountability for secure accountability for secure sites sites Much higher bar for granting certificatesMuch higher bar for granting certificatesClear identification that site has stronger Clear identification that site has stronger certificatecertificateIndustry-wide initiativeIndustry-wide initiative
InfoCardInfoCard
Simple user abstraction for digital identitySimple user abstraction for digital identityFor managing collections of claimsFor managing collections of claimsFor managing keys for sign-in and other usesFor managing keys for sign-in and other uses
Grounded in real-world metaphor of physical Grounded in real-world metaphor of physical cardscards
Government ID card, driver’s license, credit card, Government ID card, driver’s license, credit card, membership card, etc…membership card, etc…Self-issued cards signed by userSelf-issued cards signed by userManaged cards signed by external authorityManaged cards signed by external authority
Based on series of WS* specifications Based on series of WS* specifications Shipping in WinFXShipping in WinFXRuns on Windows Vista, XP, and Server 2003Runs on Windows Vista, XP, and Server 2003
Implemented as protected subsystemImplemented as protected subsystem
SummarySummary
This is an industry wide problem This is an industry wide problem which we can only solve together.which we can only solve together.
We need co-operation of all major sites to We need co-operation of all major sites to implement High Assurance Certificates implement High Assurance Certificates and InfoCardand InfoCard