rentzsch.com: tales from the red shed

Feeds for Anti-phishing

RSS
I mentioned I'd like more feeds in my life. I didn't realize it when I wrote it, but apparently the feeds all share the characteristic that they're personalized.

Today, most feeds aren't personalized. I don't see a time when the majority of feeds will be personalized, but I do see the percentage skyrocketing as RSS becomes more popular in general. Indeed, I'm sure the majority of traffic for some feed providers will be personalized.

Upon reading my feed request entry, Steve Dieringer tossed me an interesting question. Steve, a banking consultant, wondered if RSS -- as a means of financial/commerce sites communicating with their clients -- is immune to phishing.

Phishing is the widespread act of mass-emailing deceptive messages for the purposes of harvesting account login information. You know it's widespread when even Forbes puts it on their cover. The typical targets are financial and commerce sites.

The fundamental technology underlying phishing is the pushing of fraudulent information to unsuspecting victims. However, the technology of feeds is pull -- the same technology successfully used today for commerce and financial sites.

Now, I'm not claiming pull is immune from attacks -- for instance, spoofing is a real issue. Instead, I'm merely claiming that if a company uses feeds to communicate with their clients, an entire class of attack just goes away.

Incidentally, it's probably the most common attack used today. As an added bonus, these attacks are damaging to the company's image. It makes sense: you aren't getting positive PR when when thousands of fraudulent messages purport to be from you, even when it's Not Your Fault.

This is the litmus test. Email certs aren't going to happen. You have companies like eBay and Citi whose names are stolen by the thousands on a daily basis, and they still won't digitally sign their authentic outgoing email. There's probably no one reason why they're not doing it: lack of good recipient support for verification, clueless IT leadership, people aren't calling them up demanding PGP armor. Still, for whatever reason, it's just not happening.

Built-in phishing resistance is just another feature of feeds, but it may be the Killer App for the commerce and financial industry. Somebody, wake them up and let's kickstart the feed revolution all the way to Aunt Tillie.

Saturday, December 04, 2004
11:59 PM

Overview
Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter

Most Popular
C4[1] Videos Available
PSIG 117 in August
C4[2]: Sep 5-7 2008
PSIG 112: Thu Feb 7 2008
PSIG 113: Thu Mar 6 2008
mogenerator v1.10
PSIG 114: Thu Apr 3 2008
PSIG 115: Thu May 1 2008
apple's antiCAPSLOCK
PSIG 111: Thu Jan 3 2008
PSIG 116: Thu Jun 5 2008
Programmers Don't Like to Code
Intel-based Mac Boot Incompatibility
iPhone vs. Treo
Google Cache Hacking

Recently Updated
Sat, Jun 07: C4[2]: Sep 5-7 2008
Tue, Jun 03: Programming Special Interest Group
Tue, May 27: Focus of this Site
Wed, Apr 30: PSIG 115: Thu May 1 2008
Sat, Mar 29: C4[1] Videos Available

Weblogs I Read
Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley

Copyright © 1997-2008 Jonathan 'Wolf' Rentzsch. All rights reserved.
Questions? Comments? Contact Me.