Linked-In bait

on

I noticed a recent uptick in e-mail spam that looks like Linked-In invitations. When I received the first such message I actually opened it and looked to see if I recognized the person soliciting the connection. When that message was followed by the flood of variations characteristic of other spam campaigns, I stopped reading them. While I am sure that my spam filter will eventually learn to remove such messages, there is, in fact, a better way to handle such situations. In fact, there’s app for that.

This is not a plug for the Linked-In iPhone app; it’s a nice app, but nothing extra-ordinary. Rather, this episode of receiving spoofed e-mails made me think that apps installed through a vetted channel may offer an effective mechanism to avoid phishing attacks. Each app communicates with the service provider through its private connection, reducing the likelihood that someone will be able to intervene in that communication.

Since many phishing attacks attempt to get people to sign into faked bank accounts, I wonder if that industry could be made more secure through dedicated apps. Taking this one step further, might it not make sense for banks to distribute their own client software through which customers could transact business instead of using the browser which is much more susceptible to phishing and other exploits?

Of course this solution is not a panacea: Man-in-the-middle attacks are still possible through compromised wifi networks, and the physical security of the device would need to be guarded better. Nonetheless, these other forms of attack seem considerably more involved and more expensive compared to sending out mass e-mails.

Share on: 

4 Comments

  1. Since Chase came out with their iPhone app, I stopped going to the bank altogether. Makes me wonder at what point in the future physical bank locations will become obsolete. Probably when we stop paying for things with cash.

  2. It seems to me that there’s a more general social engineering issue here. I’ve learned, for example, that I should initiate any communication involving my personal finances. On one occasion, that led me to refuse a legitimate call from my bank. I then called the bank myself–at a phone number I knew was legitimate. Similarly, if I receive an email from a bank, I know I can type in the bank’s URL manually if I have even the slightest suspicion about the message’s authenticity.

    Put another way: why install an app when all you really need is a bookmark and SSL?

  3. I don’t think you need to use an app to achieve the private channels you want. Suppose your vendors started digitally signing their email. Your mail client could keep a list of your vendors and show you the “secure connection padlock” if the mail you are looking at is from a vendor in your approved list. If you see a mail purporting to come from such a vendor, but the padlock is open, you know it’s spam.

  4. I think it’s certainly possible to set up schemes by which you establish a relatively secure browser-based connection to a remote service. But such schemes require more vigilance on the part of the user, and, therefore, they are vulnerable to mistakes when the user is not paying enough attention. Having a deliberate, different channel makes it less likely that a person might mistakenly type the wrong URL or misread the location (and thus the significance) of a small icon.

Comments are closed.