Phishing: A Solved Problem? (1)

WHENEVER I read about another identity theft or account hack using a phishing attack, I always think--this is ridiculous. We're in 2010 and these kinds of attacks simply should have been wiped out by now. We have at least two different kinds of secure communication technologies which are widely used on the internet, both in email correspondence and on the Web; but the wider world of home internet users simply have no idea about the security benefits they're missing out on. That needs to change.

First, a quick summary of how a phishing attack happens: you get an email message from your bank asking you to click on a link to go to their website and update your account information. Oh, and usually if you don't your account will be put on hold. You click the link and put in all your account and login data, send it off, and that's it. You've been phished. Because the email wasn't from your bank and the site you went to wasn't your bank's, it was a phony that just looked real.

How did this happen? Two steps: first, you got an email that seemed to be from your bank, but wasn't. Second, you went to a site that seemed to be real, but wasn't. In this two-parter, I want to discuss why these two things simply shouldn't be possible in this day and age. To start with, I'll discuss why email exchanges between businesses and customers should be secure and worry-free, but sadly are not.

The Phony Email: A Solved Problem
Email is a very insecure means of communication. It's not a design flaw; the academic community that first created email never imagined that it would be used for anything more than informal exchanges between students, researchers, and the like.

Every email message you get passes through multiple computers on the internet, each of which can easily keep a copy before passing it on. Also, an email can be crafted to look like it came from anyone at all. This is what lets a phishing attack start.

But the twin problems of (1) not knowing who really sent you an email, and (2) being sure that no one else has read the email, have essentially been solved for almost twenty years now: ever since Phil Zimmerman wrote PGP and released it to the world, people have been using it to communicate securely with each other. All serious security vendors have adopted it as the standard for disseminating security updates and information. Here are some examples of software and security software vendors using PGP to communicate securely: Symantec, Apple, and Microsoft.

The problem here is not that ordinary people aren't flocking to use PGP--given a choice, people will almost always take the path of least resistance--but rather that businesses are not offering PGP to customers as a means of secure communication. Instead, they're relentlessly re-inventing the wheel, each one creating its own login and secure messaging system, and leaving the user with a massive collection of passwords to manage.

Foremost among the companies I'm talking about would be financial institutions. They have, after hospitals and clinics, the most sensitive collection of data about their clients. The data they lose, or the information their clients unwittingly give away, could lead to serious financial consequences for a lot of people. Of course, many countries have put in place data protection laws that such businesses must conform to; but these regulations don't help when it comes to phishing attacks, especially those targeting the customer.

It does look like some financial institutions are slowly latching on to the idea of PGP. Citi offers PGP-encrypted email communications, but only with clients who've already started receiving sensitive email. That sounds reasonable; it's probably used to expand the number of clients using PGP in a manageable way.

Merrill Lynch offers CLEAR (Client Electronic Access & Reporting) to its trading partners for secure exchanges. It looks like CLEAR is a system to PGP-encrypt your file, FTP in to a Merrill Lynch server, and send the file across. I think that's about as simple as it gets, if you want to avoid the limitations of email when exchanging large files.

JP Morgan does the same thing, probably for business clients as well.

Wells Fargo is another bank that offers secure email communications (albeit using another common technology) provided someone within the bank wants to use the secure email technology.

The thing is, businesses do need to exchange email with clients. And a lot of these emails have sensitive information: purchase orders, invoices, customer information, and in the worst cases, even credit card and other financial information. The businesses which are most watched for security infractions (like banks) have almost universally adopted nonsensical solutions like deciding not to send email to customers, and instead forcing them to sign up for essentially a new secure electronic messaging service solely between the bank and the customer. Oh, and other complications like security keyfobs with constantly-changing random numbers that must be entered as well as the username and password; or a random number sent by SMS to the customer that must be entered on login.

My contention is that customers would be much better served by, and would greatly appreciate, an industry-wide, compatible security solution for communication instead of all the dime-a-dozen new security schemes dreamt up every day. The industry-wide standard already exists, as I noted previously. It's just that most businesses need to be convinced that this is what customers really want. If you're in a position to do so, I highly recommend you ask your bank if they could send you all bank communications via PGP-encrypted email. This can include account statements, investment statements, credit card bills, tax slips, and a myriad other documents.

If you're new to PGP, there are many resources on the Web to get you started. A simple Google search will turn them up. I highly recommend, though, that you grab this book from the nearest library (or just buy it!) and start using PGP every day in your emails. It's like a flu vaccine: if enough people have it, everyone is protected. It's a big job, but it has to start somewhere.

Next: The Phony Website: Another Solved Problem

What is this new iphone 3G S?

Apple iphone 3G S is the hotcake from Apple which is much awaited, much hyped version of iphone by the Apple mobiles. The iPhone is great device with a sleek interface, top-notch music and video features and innovative design touches which astonished the world of smart phones and provided its users with the ultimate mobile device which offers high quality features and stunning design concept. Furthermore, Apple officials revealed that the S stands Speed. That's why iPhone 3G S is expected to be the fastest and the mightiest iPhone ever released due to its incredible features for enhancing its swiftness and performance. The iPhone 3G S is a mobile phone, with touch screen controls and a breakthrough internet communications device with desktop (web browsing, maps, and searching) into one small and lightweight handheld device.

The iPhone 3G S is available in two memory options which is a 16Gbyte and 32Gbyte memory version. In this freshly launched iPhone, the user gets about 12 hrs (2G)/ 5 hrs (3G) talk time, and 300 hrs standby time. Its rapid response boosted the internet usage duration to 5 hrs (3G)/ 9 hrs (Wi-Fi). Apple claims that their latest release offers a video playback of 10 hrs and music playback for 30 hrs. It is reported to create a wave of fervor amongst the iPhone fans.

The beautiful Apple iPhone 3G S comes with a built in camera and video feature which allows the user to capture still photographic images and moving video footages easily with their portable device. Also, if you are watching a video, the irrelevant keys can be removed from the screen leaving you a larger viewing area. The user can also enjoy a real mobile internet experience on their iPhone. My personal favorite is the feature that automatically knows when the user lifts the phone to their ear to use and switches off the display to prevent any touch controls from being selected in error.

I am sure even the most non-techy guys will love the iPhone 3G S and be completely satisfied with the performance. It is currently priced at around £450 in the UK. For more information visit the official iPhone website at www.apple.com. Enjoy!!!

How to Get a James Cameron Autograph

ACTUALLY, this post is more about how not to get a James Cameron autograph. I just watched the TMZ video of Cameron's encounter with a heckling `fan' and read John Mayer's article (with video) about it. Watching the video, I just couldn't stop thinking how stupid you have to be to heckle a man like James Cameron.Let me explain.

James Cameron is a person who has (reportedly) spent more than ten years of his life creating a single movie. That speaks to a transcendental level of geekiness combined with artistry. What should we expect such a person to be like? Difficult; a perfectionist; a plain speaker; and capable of feats of incredible genius. What we should not expect: that such a person is a smooth, polished, PR-aware celebrity.

If he happened to be a crowd-pleasing smooth-talker, I at least firmly believe he'd no longer have the required edge needed to make hard-core movies like Avatar, that need titanic (excuse the pun) amounts of dedication.

If you happen to be a fan of his, how do you ask him for an autograph? Short answer: you don't. Instead, you cheer him and ask him, no pray to him, to make ten more Avatars.

Because, really, what would any sane person rather have: a James Cameron autograph, or an Avatar, Terminator, or Titanic?