Let's go phishing
Phishing sucks. There’s very little we can do to prevent it and once it happens it can take days before the situation can be resolved.
Everyone’s heard the phrase, “the best defense is a good offense”. So could we go on the offensive against phishers? And by offensive, I mean launch a brute force denial of service attack against the offending site.
We could write a small web-based program and give it to any participating CU to load onto one (or all) of their web servers. When a CU in the coop gets phished, they log onto a secure server and initiate a new attack. The main site/program would kick off the clients installed on the other CU’s web servers and initiate an attack against the offending server, hopefully bringing the phishing site to its knees.
Yes, there are massive security concerns with this. What if a hacker gains access to our secure server and uses all of the participating CU’s to launch an attack against a valid web site? What if a phisher hacks into a genuine business site and phishes from there? We’d bring down both the phishing site as well as the valid business site. The list goes on… On the other hand, wouldn’t it be nice for the CU industry to have a tool for immediate use to stop phishers?
Update — I must give credit where credit is due, and one of my co-workers, Alex, and I spoke about this idea months ago. Great thinking Alex!
I would very much agree with you, although it should be pointed out that such a tactic would be illegal. Just because a thief breaks into your house and steals your TV doesn’t make it legal to break into his house and beat the hell out of him.
What’s wrong with using something like the SiteKey that Bank of America implimented? Seems like an effective (and legal) way to prevent phishing to me…
You’re right, it does seem pretty illegal, but it would work very quickly to shut down the offending site. As far as B of A goes, go check out our previous post here.