BPR: Infosec risk reduced by proper engineering

http://www.itgovernanceusa.com/blog/new-icloud-phishing-campaign-discovered/?utm_source=Email&utm_medium=Macro&utm_campaign=S01&utm_content=2015-01-16

New iCloud phishing campaign discovered
February 13, 2015 by Lewis Morgan

*** begin quote ***

This is a cheeky one. Cyber thieves have been caught red-handed sending out phishing emails that are designed to steal financial information.

*** end quote ***

I NEVER have this problem.

I have my own domain.

I designed my approach around the only thing constant — the email address.

Not the one in the header, which can and is forged often. But the delivery address. It’s got to be authentic otherwise how is it going to get to you.

By using your own domain, you give the BANK and email address for you of “BANK @ reinke.cc”.

Then, anything that purports tone from the BANK, that does NOT come in on that address, is fraudulent.

Laugh. It doesn’t matter how authentic it looks, it CAN NOT come in on “their address” (i.e., the one I assigned them).

Needless to say since I can create an unlimited number of these, and they all sort by a wild card rule in a catch all mail box, it’s a trivial system to maintain.

So go ahead ne’er do wells, spam, phish, and con all you want, you can’t pretend to be my bank unless you crack the BANK and get the email address assigned to them. 

Oh, and BTW, I used “bank@“ as an example. In practice, the “address” is more complex that that. “Bank” may actually be “9B94VPp8HhEU”.

But then what do you expect from a fellow who’s Mom’s Maiden Name might be “UmuCZDBpB5FY” and who’s first car was a “xF9DxMQk8CfK”?

Laugh!

The sad part is that this is such a simple and easy process to implement, but, despite the number of times I have blogged it, talked about it, and demonstrated it, folks just don’t care enough to take a such simple step.

It’s all about simplicity and clarity.

— 30 —