Unique set of characters that you set to receive in email body from a specific company. So that you’re sure if the code is absent – it’s definitely a phishing.
Why is it common only in crypto services? Is there a list of companies that support it?
because DKIM, DMARC and SPF already exist, but I guess that isn’t woah web3!!! enough for crypto “services”
2 Likes
I get it but it isn’t inside the body of the message. So there is nothing actionable on the end users part.
@Iluvinatum your problem is if that is a static set of characters, that same unique set of characters can be acquired, say if you correspond with said company.
The problem is, if you randomize it, its another step for the user to verify “security”. Its bothersome and normies don’t really care to verify it: see XKCD 1181
Tech savvy people wont use email for normal quick messaging.
Also BIMI is a thing that wants to take off. Then you get to XKCD 927
1 Like
XKCD 927
If it’s truly scary/serious email – user at least is able to verify the unique code (in password manager).
Tech savvy people wont use email for normal quick messaging.
Most emails are 1-side communication from companies.
that same unique set of characters can be acquired
By communication with nefarious employees or by the company breach if it’s not encrypted (or was decrypted), I guess.
Idea is to verify that email IS 100% a phishing.
Not to verify that email 100% is NOT a phishing.
Any decent email client will let you look at the headers, so yes an end user can action it
1 Like
that, and lets not forget this is a static secret, which is a bad idea. there is no need for a static secret and this only increases the risks if they ever leak. We should not build trust on weak systems like this.
2 Likes
Gmail (privacy aside) definitely slips phishing into inbox.
Please explain me like I’m 5 how “DKIM, DMARC and SPF” substitute anti-phishing code here? Why absence of it is more secure?
- sender sends email from a domain
- email client validates that the sender is “right” for the domain
- if email came from the known domain for website you don’t want to get phished on and the checks pass, it’s all good
If someone’s trying to spearphish you, this doesn’t work out as well, but for lower skill phishes, regular DNS-based email security is more than enough
3 Likes
If you configure SPF in the way that unauthorised servers are advised to be dropped the emails will not arrive in your inbox.
This requires that the sending domain configured correctly and that you use an email provider that handles SPF correctly. Gmail does. A secret code is a crazy non standard that really should not have any status. It is complete non sense “solution” from companies who are unwilling to actually implement SPF correctly, because they do not know how to cope with their own email and DNS configurations.
For configuration see f.x. How To use an SPF Record to Prevent Spoofing & Improve E-mail Reliability | DigitalOcean
3 Likes
Also in addition to DNS config checks, email clients should signal to a user when they receive emails from a domain that they never received email from before like:
This far better alarms the user of possible fake domains than that it may not include some code, which a user in panic caused by phishing surely will not think about before it is too late.
Phishing works by causing stress on a user to quickly do something that is urgent, most people click because they are rushed and caught on the wrong moment. They surely will not think about that code that sometimes is in the emails of the company but is not in their newsletters because they couldn’t figure out how to include it there etc.
All in all this “anti phishing” code really is a bullshit measure just wasting users time and abused by companies who start blaming the user for not verifying it. It just is designed for blame shifting and making the user responsible for something they aren’t.
3 Likes
Yahoo! did this two decades ago, they’d make you pick a certain picture and show it to you when you logged in. If it didn’t show up, it was an impostor page.
The reason why is because the user can still be social engineered or the attacker can just proxy the real page.
3 Likes
crying in ocsp stapling 
1 Like
delegating security to the end user ain’t smart.
I’m not sure if we need services like this, especially because it’s very easy to spoof.
On the other hand, I am not sure what Microsoft uses for Outlook, but it’s been a while since I have seen a phishing scam on my inbox. That being said, their scam/phishing email detection is so strong, that sometimes I do not receive emails from few domains because Microsoft has flagged them as spam. I’m not talking about their email getting to spam, I’m talking about their email getting rejected.