Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dealing with Phishing

Posted by ryuzaki0 on from the god-i-wish-someone-would dept.

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

7 of 168 comments (clear)

  1. Unpredictable by neonprimetime · · Score: 4, Insightful

    The only thing an attacker can't simulate is an interface he can't predict.

    This will be the key when designing sites in the future.

  2. Mozilla, take note: by The+MAZZTer · · Score: 4, Insightful
    for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.

    Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!

  3. Not really going to work by Jimmy+King · · Score: 5, Insightful

    While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.

    The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.

  4. Personalization will only help so much by scolby · · Score: 4, Insightful

    Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.

    In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.

  5. What bothers me is... by azav · · Score: 4, Insightful

    Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.

    If we are, why are we not hearing about it?

    I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.

    Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?

    ??

    --
    - Zav - Imagine a Beowulf cluster of insensitive clods...
  6. Re:Where to draw the line on user ignorance? by Red+Flayer · · Score: 4, Insightful
    Are people so content with blind usability of their devices?
    Why yes, yes they are.

    To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."

    That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.
    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  7. A simple solution by GeorgeVW · · Score: 4, Insightful

    Enter a junk password at the 'login' page. If it lets you in, it's a phishing site trying to harvest your information.