Slashdot Mirror
Dealing with Phishing
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
The only thing an attacker can't simulate is an interface he can't predict.
This will be the key when designing sites in the future.
To go a slight step further minutes after posting this, does it seem like more and more programs are doing things for us, perhaps without our knowledge? I take for example Xbox 360 games updater: it tells you there's an update, you update it while looking at a little progress bar, and then its done and you play the game again. I for one really want to know what updates there were, at least the significant ones. It would be nice to know if a certain bug that plagued me before was fixed, or if content was added/changed so I can proceed to take advantage of it.
Are people so content with blind usability of their devices?
Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!
While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.
The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.
In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.
If we are, why are we not hearing about it?
I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.
Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?
??
- Zav - Imagine a Beowulf cluster of insensitive clods...
To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."
That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.
There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."
Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.
Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.
GetOuttaMySpace - The Anti-Social Network
I think you miss the point. The idea isn't to mod the bank site, but for the individual to mod his/her own interface to the bank site. Bank of America is doing this -- you select a personal image. When you login to their site, the login page displays the image your selected. If you don't see the correct image, you know its a phishing attempt. This is still a user education issue, but at least it helps.
Hmmmm ... thinking along those lines, the phishing site could just be a proxy forwarding everything to the legitimate site and back, but just storing the interesting data like passwords.
The Tao of math: The numbers you can count are not the real numbers.
She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces
We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.
Say the website in question allows you to pick from several different stylesheets, and this selection gets stored as a cookie on the user's machine. Whenever the user goes back to that page, it shows up in the style they've chosen. Then there's no way for the phisher to simulate that, because cookies can't be shared between domains. The user would go to the phishing site and hopefully realize something's wrong when everything looks different.
Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.
FTA: Participants proved vulnerable across the board to phishing attacks. In our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.
No check for "familiarity with elementary principles of cryptography" giving a correlation. I suspect that anyone who recognize the significance of the names "Alice, Bob, and Eve" will probably be far less vulnerable than average.
I'll also note that while they claim: "There is no significant correlation between the score and the primary or secondary type of browser or operating systems used by participants", their breakdown of participants indicated no Linux users were studied. Of course, Linux users are a weirdo minority, but I would be curious.
//Information does not want to be free; it wants to breed.
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
You can actualy go one better today, without telling your bank what you are doing.
Give your bank a unique email address. Never use that email address for anything else.
The odds of getting a phish on that email address are close to nil unless you or the bank gets hacked.
This is how I filter virtually all phishes to date. If it arrives on an address not known to the entity being represented, it's obviously a fake.