If not to protect them, how can you verify that s site is not being spoofed, technically? -----Original Message----- From: Dean Anderson [mailto:dean@xxxxxxx] Sent: Sunday, December 21, 2003 7:29 PM To: Parry Aftab Cc: ietf@xxxxxxxx Subject: RE: [Fwd: [isdf] need help from the ietf list...can someone post this for me? or allow me to post directly?] People need to rely on their common sense. This isn't a technical problem. It is a social engineering problem. Your best bet is to read Kevin Mitnick's book "The Art of Deception". Of course, there will be instances were banks will send their customers emails. But you should treat those emails with the same degree of caution that you treat other communications. People are going to buy things over the net, and they'll also get emails with links in them. Not all of those emails are going to be genuine. Not all will be fake, either. The scenario "your account has been hacked, you need to act fast and give out your confidential finanical information" is never a realistic scenario for a financial or other institution. People need to know that when someone tries to rush them, they need to be suspicious. The communication media format used (phone, email, physical presence) doesn't matter. If people are savvy enough to know that the person on the phone or at the door might not really be from the bank, they should be savvy enough to realize that the email they just got might not really be from the bank either. Common sense usually suggests the right answer to a particular case. But, some people are going to be duped, anyway. People are taken in by "Matchstick Men" (movie with Nicholas Cage playing a con-artist) every day. There is nothing that can be done technically to protect them. --Dean On Sun, 21 Dec 2003, Parry Aftab wrote: > I agree. But frankly many Internet users (if not most) are already > distrustful and at the same time we want to teach them to be cautious, > asking them to pull a bank statement and compare telephone numbers when > they have just been told their account has been hacked and they need to > act fast, isn't realistic. Is it enough to say "never give out this > information pursuant to an e-mail, or link sent to you online, or via > phone for that matter?" > > While we can always argue the societal issues, I was hoping you techies > could help me on hard tech tips :-) > Parry Aftab > > -----Original Message----- > From: Dean Anderson [mailto:dean@xxxxxxx] > Sent: Sunday, December 21, 2003 4:45 PM > To: Mark Smith > Cc: shogunx; franck@xxxxxxxxx; ietf@xxxxxxxx; parry@xxxxxxxxx > Subject: Re: [Fwd: [isdf] need help from the ietf list...can someone > post this for me? or allow me to post directly?] > > Most scams involve things that the institutions themselves would never > do, > such as calling you on the telephone or sending as email to have you > update your confidential finanical information. > > The email scams are fundamntally no different from telephone scams or > door-to-door confidence scams, where the "bank" (imposter) calls you and > asks you for confidential information. The real institution already has > this information, and they don't need it again. > > The question of how to verify the Website is the wrong question to ask. > > Assume you can't verify it, and instead get the website address, phone > number, etc from your genuine bank statement. If you get something > unusual or confusing, print it out and take it to your financial > institution. > > --Dean > > On Sun, 21 Dec 2003, Mark Smith wrote: > > > And don't trust emails asking for sensitive information. Verify their > > requests independantly via the phone, for example, and just _don't_ > use > > a phone number that is supplied in the email. > > > >