Security 2 - Phishing

< CS101

2. - Phishing Attacks

Here is an example phish site from one of the many paypal phishing emails in my inbox:
phishing site to steal paypal username and password

Probably the most common form of attack. The email is forged to appear from someone you might trust -- including logos etc -- I have gotten ones which I personally found quite convincing. I had to slow down and really pay attention to realize that it was a phishing attempt. It does not help that ATT, Schwab, Citigroup, etc. do in fact send you email all the time about your accounts.

Fake ATM Machine -- Real World Analogy

Criminals put up a fake ATM machine made of plywood in front of a real ATM, with a "under construction" sign. The victim would put their card into the fake ATM and type in their PIN. Then the machine would print an "out of order" message and give the card back. The bad guys in this way collected all the card numbers and PINs and drained the accounts over the weekend. This is a nice real-world analog of fake-site phishing.

Avoiding Phishing

Avoiding Phishing - URL / typing

Email Phishing vs. 2016 Election

HTTPS

HTTPS is the "secure" http variant, https://www.ebay.com/. In particular, the server must hold a certificate which is verified beforehand by an authority that the server really represents www.ebay.com or whatever. You have to pay money and file some paperwork to get an https certificate -- hard for a bad guy to do, although not impossible. The idea with https is that the user can see the identity of who they are talking to. In the browser interface, https is typically accompanied by a little lock icon, and some banks etc. mention to their users to look for the lock. Having users pay attention 100% of the time is not a perfect security solution, but it helps.

Encryption vs. Bad Guy Packet Eavesdropping

logging into schwab.com at Starbucks to show https

When you go on to wifi and visit a web page and type something in ... the packets for all that are just being broadcast in the room, so anyone nearby can observe the packets, listening in (recall the ethernet-packet-broadcast material from the networking section). For the most part, this is harmless. In some cases, say when you are typing in a credit card number, you want the communication to be encrypted (encoded), so that someone listening in cannot read it. The https scheme above also does encryption, so you will notice that when you go the page to type in a credit card number, the url begins with "https://". On such page, all the packets are encrypted, so someone can listen and see the packets, but they will appear to be random garbage. The eavesdropper cannot unscramble the packets to see what's inside, or forge a packet. So Https blends two security provisions -- (a) verifying that it really is the www.mybank.com or whatever server on the other end and (b) encrypting all the packets of the communication.