Slashdot Mirror
Dealing with Phishing
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
The only thing an attacker can't simulate is an interface he can't predict.
This will be the key when designing sites in the future.
To go a slight step further minutes after posting this, does it seem like more and more programs are doing things for us, perhaps without our knowledge? I take for example Xbox 360 games updater: it tells you there's an update, you update it while looking at a little progress bar, and then its done and you play the game again. I for one really want to know what updates there were, at least the significant ones. It would be nice to know if a certain bug that plagued me before was fixed, or if content was added/changed so I can proceed to take advantage of it.
Are people so content with blind usability of their devices?
Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!
While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.
The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
It seems obvious from this article that teaching people about computer scams and making them aware of tricks such as phishing is the only way to foil these types of attacks. The phishing sites in the study didn't even use technological foolery, yet they still managed to fool most of the users. This shows that no amount of advanced anti-phishing technology in the browser will help more than simple education and very obvious cues that a site could be faked. Popups and dialog boxes don't work because in modern computing they have become somewhat of a false alarm - a dialog box warns you of something and you close it immediately because it is irrelevant. The only way to really utilize the browser's anti-phishing technology is to have a very visible notice that a site could be faked, such as putting a big notice right in front of the page, etc. Fundamentally, phishing is a form of social engineering combined with technological tricks, and the social aspect of the problem must be approached to help solve the problem.
Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.
In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.
If we are, why are we not hearing about it?
I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.
Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?
??
- Zav - Imagine a Beowulf cluster of insensitive clods...
To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."
That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You have read this comment 42 times, therefore it is trustworthy. Please reply with your social security number and mother's maiden name.
I'm not sure that visit counts are very useful, as there is only a narrow window between the very beginning, where it is useless because it is basically 0, and where it becomes useless because it's just a big, meaningless number. Will you notice if your visit count goes from 123 straight to 125? Will you even notice if it goes from 124 to 543?
Of course you want to say yes, because it looks like I'm asking "Can you tell the difference between 543 and 124?" and of course the answer is yes. But the real question I'm asking is, "Can you tell if a number secreted away in the corner of a busy webpage that you probably don't even know exists and have probably forgotten about if you did changes from 124 to 543?" I think that if you're honest with yourself, the answer is no.
It's a good brainstorming idea, but I don't think that's going to help much.
On the other hand, customizable interfaces would probably help a lot, but that's a lot of work, and you're going to have to half-force people to do customizations if you want it to work, because most people would just stick with the default. Perhaps randomize (within reason) some of the customization parameters? Sure, it'll add support load, but so does phishing, so you'd have to do a careful analysis to see if you come out ahead; it could go either way.
To defeat this, the attacker just needs to correctly copy the bank's page (or whatever). Images, style sheets, etc.
... which works until there is a way to fake that display.
... and require that the bank call the customer at the customer's phone number and verify that the transaction is authorized.
No matter what the user does to his/her browser, the bank's page will be displayed with the same mod's as the phishing page. If you over-mod your browser, then the bank's page will look weird anyway and this can make phishing even easier.
She had a good idea in showing how many times you had already visited that page
The only way to really defeat phishing is to only use the web interface to start a transaction or to view information
Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.
There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."
Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.
Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.
GetOuttaMySpace - The Anti-Social Network
Hmmmm ... thinking along those lines, the phishing site could just be a proxy forwarding everything to the legitimate site and back, but just storing the interesting data like passwords.
The Tao of math: The numbers you can count are not the real numbers.
She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces
We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.
Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.
FTA: Participants proved vulnerable across the board to phishing attacks. In our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.
No check for "familiarity with elementary principles of cryptography" giving a correlation. I suspect that anyone who recognize the significance of the names "Alice, Bob, and Eve" will probably be far less vulnerable than average.
I'll also note that while they claim: "There is no significant correlation between the score and the primary or secondary type of browser or operating systems used by participants", their breakdown of participants indicated no Linux users were studied. Of course, Linux users are a weirdo minority, but I would be curious.
//Information does not want to be free; it wants to breed.
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
You can actualy go one better today, without telling your bank what you are doing.
Give your bank a unique email address. Never use that email address for anything else.
The odds of getting a phish on that email address are close to nil unless you or the bank gets hacked.
This is how I filter virtually all phishes to date. If it arrives on an address not known to the entity being represented, it's obviously a fake.