Slashdot Mirror
Dealing with Phishing
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
The only thing an attacker can't simulate is an interface he can't predict.
This will be the key when designing sites in the future.
To go a slight step further minutes after posting this, does it seem like more and more programs are doing things for us, perhaps without our knowledge? I take for example Xbox 360 games updater: it tells you there's an update, you update it while looking at a little progress bar, and then its done and you play the game again. I for one really want to know what updates there were, at least the significant ones. It would be nice to know if a certain bug that plagued me before was fixed, or if content was added/changed so I can proceed to take advantage of it.
Are people so content with blind usability of their devices?
Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!
While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.
The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.
In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.
If we are, why are we not hearing about it?
I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.
Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?
??
- Zav - Imagine a Beowulf cluster of insensitive clods...
To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."
That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces
We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.
Say the website in question allows you to pick from several different stylesheets, and this selection gets stored as a cookie on the user's machine. Whenever the user goes back to that page, it shows up in the style they've chosen. Then there's no way for the phisher to simulate that, because cookies can't be shared between domains. The user would go to the phishing site and hopefully realize something's wrong when everything looks different.
Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.