Yesterday, I talked about the UK Government's ITsafe security alerts system, and how it uses a "safeword" in an attempt to reduce spoofing attacks. I have some concerns:
- This doesn't reduce the perceived authority of spoofed messages; it only increases the authority of legitimate messages.
- The safeword may be stolen by hackers, either by spyware, packet sniffing, or via an "inside job."
- There seems to be no way to periodically change the safeword, as one should with a password.
The reality is that these sort of weak measures can lead to a false sense of security. Arguably, that's worse than no measures at all.
Imagine the situation if virus writers managed to steal the ITsafe signup database. They could spam consumers, pretending to be the UK Government. Their messages could contain a dire warning that they should install a patch.
- Naturally, the patch would contain a virus.
- Naturally, the text of the message would employ the usual, proven social engineering tricks of such virus vectors.
- Naturally, a significant percentage of consumers would be fooled into installing the virus.
Would the presence of the "safeword" make the consumer more likely to take the bait? I think so.