Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Markus Jakobsson ... [Goo?] [Posters]
Steven Myers ... [Goo?] [Posters]

This Hardcover Book item from Wiley-Interscience was reviewed on 25-Oct-2008.

Search ISBN:0471782459 offer from Abebooks or used books from Alibris. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft Reference Book. Classifications : General AAS Computer Science New & Used Textbooks Custom Stores Specialty Stores Books General AAS New & Used Textbooks Custom Stores Specialty Stores Books General AAS Qualifying Textbooks Custom Sto . Click the following link to view the cover of Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft.

Related topics: General AAS. Computer Science. Custom Stores. Specialty Stores. Books. General AAS. Custom Stores. Specialty Stores. Books. General AAS.

1) Hardcover Book Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft by Wiley-Interscience. Phishing and Countermeasures is the best (and only!) extensive resource on phishing for researchers that I´m aware of. The book not only applies to technical security researchers, but also to those interested in researching phishing from other vantages -- such as the social, legal, or policy-oriented implications. Also, the book does an excellent job of considering more cutting-edge trends, such as the impact of additional social context in phishing attacks. This book absolutely belongs on the desk of anyone with serious interests in both understanding and combating phishing.¤

2) Hardcover Book Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft by Wiley-Interscience. "Phishing and Countermeasures" (P&C) does an excellent job of summing-up the state of Phishing attacks and research. It describes--in depth--technical attacks and countermeasures to the attacks, presenting both points of view in an extremely complex problem.

Phishing is not a simple technical or social exploit, it is a process. P&C breaks the process down into little bits, describing in depth how each portion accomplishes its goals. They show technical and social techniques used by Phishers, and then delve into theoretical extensions of phishing attacks, including context-aware attacks (spear phishing) and other advanced data gathering techniques (browser history snooping, accoustic keyboard monitoring, etc). They make it obvious to a reader that Phishing is not a simple problem, and also that it is not yet fully understood.

The sheer volume of countermeasures, coupled with the fact that I get new phishing emails daily, simply backs up the book´s claim on Phishing´s complexity. There is no one technical solution to Phishing attacks, there are LOTS of them, and this book provides an encyclopedic view of the myriad technical countermeasures, complete with analysis of what the countermeasures can and cannot accomplish.

Aside from looking at technical and human-oriented design countermeasures, P&C presents a legal and ethical look at understanding Phishing. Usually lacking from texts like this, coverage of legal and ethical issues rounds the book out nicely.

Do not read this book if you expect to learn how to completely stop Phishing attacks. Phishing is not a solved problem, so the solutions presented within are helpful measures only -- they make it harder for Phishers to succeed. The book does, however, explain some tools and techniques you can use to help significantly shrink the chance that you will be phished.

You should read this book if you are interested in the path research scientists are taking to understand and attempt to block the growing Phishing problem. As a non-technical expert, you can get immense value out of the introduction and future chapters as well the brief summaries present before each technial section or case study. This book reads well and presents a wealth of important information.
¤

3) Hardcover Book Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft by Wiley-Interscience. Phishing is a dangerous phenomenon. But only in recent years has it become common. Another way of seeing this is to note that this book is only the third devoted to phishing. The first two were published in 2005. (Whereas generic spam was already sufficiently a problem in 1998 that a book appeared then, with some primitive antispam methods.) Jakobsson and Myers have assembled a formidable set of articles that define phishing, its dangers and countermeasures. The text explains why phishing stands separate from spam. In part because it is always fraudulant, whereas some spam actually offers real goods and services.

Concerning dangers, Jakobsson and others describe experiments where they sent simulated phishing messages to university students. Response rates were disturbingly high. This from an educated group! The book also cites other studies which reveal that phishing messages and their websites can be very professionally done, and can sometimes fool even experts.

However, the countermeasures described in the book have severe disadvantages, some of which, though not all, are described in the text.

Consider making a blacklist of known phishing sites. This might be done at some central website. With a browser toolbar distributed to users, so that when a user goes to some URL, the toolbar checks the domain against the blacklist, which it gets from the central site. But phishing tests the very concept of a blacklist to destruction. Phishers can subvert many computers, scattered across the Internet, to act as fake websites. So identifying one of these as a phishing site has little efficacy.

Plus a blacklist is inherently reactive. How is a website classified as phishing? Often, if not invariably, by manual scrutiny. But after the phisher has turned on the site, and sent out messages linking to it. This allows a zero day attack.

Yet another problem is the lack of good net coverage, to identify (even if only tardily) many phishing sites. Chapter 14, on social networks, describes improving coverage with a social network, using the Net Trust toolbar. However, the social networks cited tend to be small, reducing coverage. The toolbar tries to improve on this with supplemental blacklists from some central sites. The problem remains. In general, you need many in a social network for good coverage. But this gives rise to some users accidentally or deliberately misclassifying websites as phishing or not. Where the accidentals might be due to subjective assessments of websites, and the deliberates to phishers infiltrating the social network.

Another method uses a two factor device ("fob") to generate one time passwords (OTPs). Typically issued by a bank to its customers. Costly. One American bank pays about $50 per fob, and passes some of this onto its customers who want the fob. It takes a loss on each fob, and thus cannot mandate that all its customers use them. Chances are that other banks (including non-US ones) have similar experiences. Also, the book does not discuss the scaling problems with a fob. Suppose you have several bank accounts, plus a brokerage account, and a retirement account, and one with an insurance company. And suppose you use a big online auction site, and that all these issue fobs. Really cumbersome. Especially if you will access those accounts when travelling.

Another method for identifying phishing messages uses Bayesians and similar content analysis on the message text. This idea is taken from tackling generic spam. But Bayesians work best when there is a clear content separation between spam and non-spam. Phishing messages hew closely in their word choices to actual messages or web pages of the real sites.

Another approach for messages is to look at the enclosed links. Various heuristics are used. Does the link have a raw address? What country is the website in? Etc. Also, the web page that is linked to might be analysed for other heuristics. Subjective and weak. None by itself is conclusive. So typically, the number of heuristics in a message is toted up to improve the prediction, and if it is above some threshold, then the message is (perhaps) phishing.

Yet another approach uses image passwords, to help you recognise the real bank´s website. But while an image may be easier to remember than text, it is still another item to remember. One that scales with the number of websites that use this method, and that you have accounts at.

But there is another type of phishing, which is not described but can be expected. Where the message does NOT claim to be from your bank. It purports to be from another bank, asking you to open an account. With a link to a page where you enter all the necessary details about yourself. Another variant is an application for a credit card, from a supposed bank. Sidesteps any fob or passwords (text or images) you have at your banks.

What is lacking is a solution with these properties:

1. Objective. No subjective heuristics.

2. Lightweight. No heavy cryptography. Deployable globally, with no import/export restrictions.

3. No special hardware.

4. Very little (or no) manual effort by the user.

5. No extra user passwords.

6. No zero day attack.

7. Analyses messages and websites in essentially the same way. Some methods in the book work only against websites, and not against messages read in a browser. But if the user clicks on a link in a message, that goes to a phishing site, then she is already at risk, even if another method suggests that the site could be phishing.

8. Objectively classify a message from a company that you do not have an account at.

9. Enables verified advertising. So a company can send out messages, with links to co-marketing partners.

The last reason is very important. We have seen on the Web how an advertising channel can be a significant business and produce a large market cap.

Such a solution exists. Outside the ken of the book´s methods, and conceptually discontinuous.¤

4) Hardcover Book Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft by Wiley-Interscience. Phishing and Counter-Measures discusses how and why phishing is a threat, and presents effective countermeasures. Showing you how phishing attacks have been mounting over the years, how to detect and prevent current as well as future attacks, this text focuses on corporations who supply the resources used by attackers. The authors subsequently deliberate on what action the government can take to respond to this situation and compare adequate versus inadequate countermeasures.¤

Page Updated: Robert N. Goolsby, 22-Nov-2008, 04717824599780471782452, 890-500-780-590-870-0X1-8

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, Book, Image © Wiley-Interscience

Search: Wiley-Interscience, Book Posters, Book Art