Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Phishing Works

Posted by ryuzaki0 on from the lower-your-expectations dept.

h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."

9 of 293 comments (clear)

  1. Short answer by gEvil+(beta) · · Score: 5, Insightful

    Phishing works because people don't understand (nor do they want to) the basics of the technology they use (example: Jerry Taylor).

    --
    This guy's the limit!
    1. Re:Short answer by plover · · Score: 5, Insightful
      In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.

      In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".

      And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.

      The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.

      --
      John
  2. Social engineering anyone? by SComps · · Score: 5, Insightful

    It works because it plays on the concept that seeing is believing; and most people will trust their eyes over their minds any day of the week.

    --
    The world according to SComps
  3. And this might be optimistic by plover · · Score: 5, Insightful
    The paper hints that the people selected for the study may not adequately represent the web-surfing public -- they may be "above average".

    Humanity is doomed.

    --
    John
  4. Simply because .... by cfortin · · Score: 5, Funny

    People are stupid. Total knuckle biters. Every one of them.

    That is all ...

  5. It's like P.T. Barnum said, by TheCoders · · Score: 5, Insightful

    "There's a sucker born every minute." Listen, we can put an evil Devil's face on the browser, along with flashing neon lights and big signs that say "WARNING: This site is suspicious", and a gloved hand that comes out of the monitor and slaps the user silly, and you know what? People will still fall for these scams! It's not people like you and me that are the targets of phishing. Ask your grandmother what a URL is, and (with some exceptions, of course) you'll get a blank stare. Heck, ask the cute cocktail waitress at your local bar, and you'll get the same response (and I wonder why I can't get a date...). That's what we're up against.

    Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.

    --
    My guitar chord generator.
  6. Re:The Blind Squirrel by $RANDOMLUSER · · Score: 5, Funny

    I've been proposing for a long time that the "Yes/No/Cancel" type dialog boxes should simply be replaced with a single "Whatever" button, as users NEVER read what the dialog box says.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  7. The problem goes right down to the SSL layer by egarland · · Score: 5, Insightful
    This is a post I wrote in response to the phishing site with a valid SSL cert. I'll highlight the appropriate portion for this discussion.


    SSL Certificates don't have to be signed. You can create X509 self signed certs no problem. Web browsers just don't like them and pop up all kinds of warnings.

    They should tier SSL certs and make the higher level ones more difficult and time consuming to get:
    0 None
    1 Self Signed
    2 Small business
    3 Mid-sized business
    4 Large business
    5 Financial Institution

    Browsers should display a lock with a number explaining what encryption a site used (even when none is used) and could explain the rank when the icon is moused over. Then people always would have a place to look to check the rank before deciding if they should punch information in.

    The original SSL design was a good first step but it is definitely showing it's age today.


    For Anti-Phishing to work it needs a UI with support right down into the SSL layer.

    Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.
    --
    set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
  8. While ISPs learn to block... by fak3r · · Score: 5, Informative

    I always encourage others to 'go on the offensive' and help polute phisher's databases with the awesome site: PhishFighting.com. Set a few tabs open to fill the phisher's database with useless Data, check back later and see the site is offline (likely from the attention garnered from all the bandwidth useage!

    As bosses would say "It's a win-win!"

    --
    fak3r.com