{"id":183,"date":"2006-11-14T14:28:48","date_gmt":"2006-11-14T22:28:48","guid":{"rendered":"http:\/\/netmesh.info\/jernst\/uncategorized\/phriend-phishing"},"modified":"2006-11-14T14:28:48","modified_gmt":"2006-11-14T22:28:48","slug":"phriend-phishing","status":"publish","type":"post","link":"https:\/\/upon2020.com\/blog\/2006\/11\/phriend-phishing\/","title":{"rendered":"Phriend Phishing"},"content":{"rendered":"<p>Everybody knows about <a href=\"http:\/\/en.wikipedia.org\/wiki\/Phishing\" target=\"_blank\">phishing<\/a> these days: the attempt by an attacker to trick a victim into revealing information to them by masquerading as somebody else. For example, a site called <tt>exampl&eacute;.com<\/tt> might attempt to pretend to be site <tt>example.com<\/tt>. It is often initiated by e-mail, whose sender address can be easily falsified, and often works with those victims who have an existing relationship with <tt>example.com<\/tt>.<\/p>\n<p>A novel variation is beginning to make the rounds that I&#8217;d like to call <b>phriend phishing<\/b>: the attacker masquerading as another individual that is known to the victim.<\/p>\n<p>For example, let&#8217;s say you are my buddy, and like me, you frequent social networking website <tt>example.net<\/tt> (I actually don&#8217;t visit that particular site, for good reasons ;-) but this is just an example). This social networking site allows you to create private groups, such as &quot;my buddies&quot; whose content is not accessible to non-members. I have a unique user handle at this site, say <tt>jollyfellow<\/tt>. The phriend phisher attacks you by creating a user handle that&#8217;s very similar to mine, say <tt>jolly.fellow<\/tt>, and gets you to approve his request to be part of your private group, because you think it is me. It is an attack because he&#8217;s now able to access information that he should not have access to; depending on the group, that may open up all sorts of nasty &quot;business opportunities&quot; for the attacker.<\/p>\n<p>There is an even more effective avenue for this: some sites believe that they should print more &quot;human&quot; identifiers (such as first and last name) instead of unique user handles. If a site does this, nothing prevents the attacker from simply calling himself <tt>Johannes Ernst<\/tt> using any user handle that they choose, which makes the attack even more successful. Many non-techie users would need a lot of education to even understand what the problem is here.<\/p>\n<p>I&#8217;m bringing this up because of our work around the <a href=\"http:\/\/openid.net\/\" target=\"_blank\">OpenID User Experience<\/a>. As user-centric identity, like OpenID, is intended to empower the individual and make them safer on-line, this type of attack is one that we definitely need to build defenses against. I figured it needed a description and a name.<\/p>\n<p>P.S.: How do you like it? [the name]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Everybody knows about phishing these days: the attempt by an attacker to trick a victim into revealing information to them by masquerading as somebody else. For example, a site called exampl&eacute;.com might attempt to pretend to be site example.com. It is often initiated by e-mail, whose sender address can be easily falsified, and often works&hellip;<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"webmentions_disabled":false,"footnotes":""},"categories":[60],"tags":[],"class_list":["post-183","post","type-post","status-publish","format-standard","hentry","category-digital_identity","kind-"],"kind":false,"_links":{"self":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/comments?post=183"}],"version-history":[{"count":0,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/posts\/183\/revisions"}],"wp:attachment":[{"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/media?parent=183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/categories?post=183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/upon2020.com\/blog\/wp-json\/wp\/v2\/tags?post=183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}