Account Security Improvements Part 1 - Phishing
Greetings Internet Space Pilots!
This is the first in what will be an indeterminate number of blogs which will be focusing on our ongoing mission to keep your account information secure. I should mention that this particular blog is the vast majority of the security portion of the CSM meeting, which was removed from the meeting minutes in favor of this blog. We also discussed some things forum goers may already be aware of such as the Gawker database hack and the issues we had a few months ago with some packet filtering devices at universities. I've decided to start with phishing because I think it's pretty lame. It's also rather prevalent because it essentially requires zero talent and if left alone can bury your inbox in garbage while the phisher harvests the odd account to convert to cash. As with any of our security efforts, whether it be account security or RMT, our focus will be on increasing the amount of effort required while reducing the profitability of the enterprise. As I've said in a previous blog your stuff has value and is, ipso facto, of value to lazy criminals.
As with anything when deciding how we should work on reducing the potential for phishing we did some research to determine what others have done in this area. It just so happens that Paypal/Ebay had a tremendous phishing problem and documented their methodology for reducing its effectiveness very well. At one point in the not-so-distant past Paypal and their parent company Ebay accounted for 80% of all phishing traffic on the Internet. Given the impact this had on their service they took a holistic approach to the problem and over the course of a year or two were able to reduce this number to under 10%. I'd personally say those are pretty good results and as such we've studied their approach which they helpfully documented and made public here, and have borrowed from it in spades. Virtual hi5's to the folks at Paypal for doing the world a favor and so rigorously documenting this process they established.
This is a flow diagram which mirrors a similar diagram created by Paypal and maps out the lifecycle of a phishing attack and its impact on the business and the business's customers:
!(//cdn1.eveonline.com/community/devblog/2011/Phishing Diagram Raw.jpg)
It's fairly straight forward, a phishing email is sent which leads to a bad user experience and financial loss to CCP in the form of work and reimbursements. That bad experience can leave a sour taste in a customer's mouth which will lead to lower activity (and less fun). The information obtained by the fraudster is then used to liquidate the user's assets and/or sell off the user's account information to be used for other bad activity, which is what spurs the additional phishing attacks in order to generate further profit for the bad guys.
This diagram illustrates how we will put up some walls to address each step of the problem with detailed explanations below it:
!(//cdn1.eveonline.com/community/devblog/2011/Phishing Diagram Blocks.jpg)
Block 1 - Here is where we reclaim our email. Below is an example of a phishing attack:
This email is carefully crafted to appear as if it came from us. In order to best help our customers be safe from these types of attacks it behooves us to make it easier for customers to be able to identify email which was REALLY sent by us. Currently a customer has to do a bit of work to determine that the URL the link points to is not actually our website. It's not surprising at all that many people would click the link provided, as the email for all intents and purposes seems to have been sent by us. We will be changing our mail infrastructure a bit to make this more difficult by implementing a combination of technologies referred to as "SPF" and "DomainKeys". In essence these two technologies allow email providers to take a look at incoming email and determine with some degree of certainty if the email they're receiving was actually sent by the holder of the domain name that the email is purporting to come from.
In this scenario if someone tries to send an email from SUPERADMIN@EVEONLINE.COM and the mail wasn't sent by one of our authorized servers many mail providers including Google, Microsoft, Yahoo and AOL will simply drop the mail and it will never arrive in your inbox. In addition this will provide the end-user with some capabilities to CHECK whether an email was sent by us on their own, which is a subject we'll get to once the implementation is complete. SPF will be implemented in approximately 7 days. DomainKeys will take a bit more time as things need to be moved around in order to implement that properly.
Block 2 - In block 2 we work to prevent the sites from being displayed to our customers. There are actually 2 things in play here. Below is an illustration of the first:
Click image to enlarge.
This is an example of an error message generated by the latest version of Internet Explorer when attempting to access a phishing link from an email. Every single phishing link we've been sent in the recent past has been properly identified by the latest versions of IE, Firefox and Chrome as a web forgery. In order to benefit from this safeguard you need to have an updated version of your browser and you need to have the feature turned on.
You can enable this feature in IE 8 by clicking tools, internet options, Advanced tab and then checking Enable SmartScreen Filter. You should also check "Warn about certificate address mismatch" and "Warn if POST submittal is redirected to a zone that does not permit posts" just to be cool and safe.
In Firefox you can enable this feature by clicking Tools, then Options, then clicking the Security Lock icon at the top and ensuring you have both "Block reported attack sites" and "Block reported web forgeries" checked. Bonus points if you also check "Warn me when sites try to install add-ons".
In Chrome you click the wrench symbol then click options. Click the "Under the hood" tab and make sure you have "Enable phishing and malware protection" checked.
The Safari unsafe sites feature is located at Safari > Preferences... > Security. Check "Warn when visiting a fraudulent website".
On iPhones/iPad, it's Settings > Safari, set Fraud Warning On.
In Opera, it's Preferences > Advanced > Security. Check "Enable Fraud Protection" (Credit Trebor for the last three browsers it was a timesaver)
One way we plan on helping our users who don't anxiously f5 the blog section to see if I've written something of note is to start checking the User-Agent string your browser sends us when you connect to the EVE Online website and give you a little warning if you are running a version of your web browser of choice that does not support this option. We won't limit your interaction with the site in any way, but we do feel that letting you know that you're driving the Internet in a position of risk is worth reminding you about.
In addition to this we're constantly working internally to detect this type of activity in a number of ways. Something that is of great value to us is when you forward any phishing emails you receive to email@example.com. I can assure you that while I may not personally respond to every email which gets sent to this box I do monitor it every minute that I'm awake and if something new comes in we get to work on it right away. There's no such thing as too many of a phishing email in that inbox. We use this information in a multitude of ways on the back-end that are of significant value to your account, as well as in block 5. Hold your horses I'm getting there.
Block 3 - Block 3 is where we ensure that we're properly authenticating our users. Authentication from our perspective is ensuring that you are you. Not that you are someone with your password. That you, guy whose name is yours, is really you. An initial shot at this was when we began asking you to name one of the characters on your account. I think security folk have known for a while, and all of us on the Internet are beginning to finally accept that the days of passwords as a sole authenticating factor are over. In this block we're still doing quite a bit of research, but it is an area we want to address and you'll be the first to know what changes are coming when we do.
Block 4 - Block 4 is where we foster ongoing communication with you, our customers and fellow travelers, in order to ensure that you have as much information as possible about what the threats are and how you can prevent yourself from falling victim to an attack. We do this because it is our firm belief that the more informed you are the better off you'll be. These phishing emails don't arrive in my inbox. I don't get them, click on the links, or enter your account information when the nasty page comes up. It is you guys (I mean that generically not precisely YOU) who receive these emails and are at risk so the better we can help to arm each and every last one of you with information the better off we all collectively are.
Block 5 - In Paypal's example block 5 is where they worked with law enforcement to capture bad guys. I have some experience in this regard personally and I can tell you that this is a very difficult step for us to take internationally. What we're doing block 5 though is ensuring that every single route we can take to shut down every single site and tool the phisher has access to and uses are removed from the face of the Internet. The instant an email arrives in the security inbox we analyze the attack and begin running down any locations the attacks are being launched from. We then build a profile of each and every company involved in every leg required to deliver that content to your browser. This could be DNS, the ISP, the hosting provider, a registrar or any other person who is providing some form of delivery for the malicious content and we contact each and every last one of them asking them to shut it down. Recently we've been very successful in this regard and I'm working on putting together what numbers I can for some future blog on the subject. As it stands it's a bit difficult for us to measure but we'll try.
By shutting down the hacked servers or various other services the phisher is using we cause them to increase the amount of time spent building locations to link to in the phishing emails and we reduce the window that they have to successfully collect your information. If you were to click on a link and it went nowhere you couldn't very well give it your password.
The overarching idea when you combine each of these "blocks" is to increase the amount of work required vs. the payoff so that it is no longer a profitable enterprise to operate. This is a general concept that we are applying across the entire spectrum of malicious activity and doesn't just stop with phishing as we'll discuss in a later blog.
It is important to note that phishing is not the only way your credentials or private information can be stolen. One example we've given a bit in the past is third-party applications such as bots. We spend some time reverse-engineering this code and there are very few cases where ANY "botting" application does NOT send information to the creator that you did not intend it to. There is also NO class of bot that does not violate the EULA and will not get your account actioned against when we detect it. In one case that springs immediately to mind a freely distributed piece of code had a time-bomb in it where on a certain date and time it transferred the contents of the wallets of everyone using it to the creator. Another recent example had the bot sending all chat channels and communications to the creator. I cannot think of a single instance of bot creation where the creator built and maintained a botting program out of the kindness of their own heart. If you got it for free there's a catch and they're probably stealing from you. If you paid for it you're still just a cash register and they're probably stealing from you, regardless of if you paid for it with a credit card or through some obscure method of transferring ISK.
The reason these things exist RMT, Phishing, Forum Hacking for account harvesting, Bots, etc... is to squeeze money out of you and into the hands of a third party. There is no such thing as a free lunch anywhere and our overall strategy is to do whatever is necessary in order to make these endeavours unprofitable. This is our open response to phishing and in the future we'll have further updates on the other areas of concern. I'm looking forward to the comments and discussion and until next time have fun!