Why is this "phishing"? The reports indicate that it was an intrusion
into a single business's computers, not a phishing attack in which
people are tricked into giving their identifying information to an
impostor.
And I don't see anything in the reports to indicate that it has
anything particularly to do with the Internet. Does it?
[TELECOM Digest Editor's Note: The word 'phishing' may have not been
the best way of phrasing things. As I understand what happened (and
they are being sort of tight lipped about it) the perpetrator(s)
installed some sort of 'back door' into the software to deliberatly
capture the card numbers and other details. 'Traditional phishing' --
if we can use that term -- does generally refer to social engineering
done manually, case by case. I put up a phony web page and trick you
into revealing those same details. On the other hand, 'traditional
hacking' usually refers to brute force removal of the desired data
or manipulation of same, no password required. What terms should be
used when there is a case of 'social engineering' where a computer
'trusts' that what it is doing is what it _should_ be doing, i.e. a
back door built in by someone, and the computer goes right along
innocently doing its thing? And what term should apply when instead
of 'traditional phishing' (one person after another being tricked)
the phisherman grows impatient and decides to get them all in one
swoop by posing as a delivery person and tricking the one person
(let's call him the 'master data collector' [who is honest]) into
giving up his hoard? I honestly suspect that is what happened in
the one case last week with the 'missing UPS' shipment. Neither UPS
nor the employee-in-the-trick-bag is willing to admit it; some fool
in the proper-looking uniform socially engineered the 'master data
collector' into turning over his hoard of lawfully collected data.
We probably need new common-names for all this deviant behavior;
'phisher', 'cracker' and 'hacker' are just not enough any longer. PAT]
mc (mc_no_spam@uga.edu)