Phishing attacks highlight differences in instant messaging security

Posted by ProcessOne on February 26, 2009

Can decentralized instant messaging networks improve overall security and robustness ?

Gmail and Yahoo! account holders are amongst those who have recently been targeted by a major phishing attack on their instant messaging systems aimed at stealing account log-in details. As with attacks on email systems a lot of the onus is on users not to click on links from untrusted users, however this does highlight a fundamental difference between the levels of security on centralised (public) and decentralised (private) IM networks.

With many centralised IM platforms every username has to be unique, so users often have to find ways to create an account name that is available (e.g. Fred123) rather than one that necessarily indicates their credentials. This can make verifying the identity of contacts a difficult task - as how can you know that Fred123 is your friend or not?

With an open-standard IM platform users are generally less susceptible to phishing attacks. As it is a decentralised network you can only connect with the domain names (typically their email address) of the users that you trust and when a server connects to your server it has to provide valid credentials to prove that they are the domain they say they are. Also a server can automatically block messages from users not on your contact list, significantly reducing the temptation to click on untrusted links in the first place.

The message here is that users should always avoid opening links from untrusted sources, however it is up to IM platforms to make it as easy as possible for users check the identity of the contacts they are chatting with.

To read more about the recent instant messaging phishing attacks go to http://www.vnunet.com/vnunet/news/2237230/multi-platform-im-phishing.