Slashdot Mirror
10 Anti-Phishing Firefox Extensions
An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"
unfortunately it isnt, a lot of people ignore security measures designed to protect them from phishing. case in point, banks that used images/etc to show the authenticity of the website their customers use was largely ignored, few noticed it and similar studies show few have such security as one of their concerns. these extensions might have done good if people listened to them but the real fix for phishing is to educate people on ways to avoid going to the sites in the first place. typing in addresses instead of following links, paying attention to what comes after the tld and disabling javascript for starters.
Sigs are too short to say anything truly profound so read the above post instead.
Is my bloody brain and eye superfilter combo. With these, I don't need any stinking slow-me-down-even-further plugins.
ISO certified == THX certified
How much phishing can be prevented if people stop clicking on hyperlinks, and use copy-and-paste instead?
Virtual Betting on Facebook for non-geeks.
Or just upgrade to Firefox 2, which has the feature built in.
I think 'most' users would say "what the hell is phishing?" Only way to prevent phishing is to bring up a "Welcome to the internet, here are a few things you should know about before you go on: ... " splash screen when they open up their browser for the very first time.
Followed by another splash screen that says "If you ignored the previous information, you are now entering with the risk of doing something extremely stupid, would you like to bring up the Welcome screen again? [Yes] [Yes]"
"we've got trenchcoats and bad attitudes" - John Constantine, HellBlazer
Blacklists aren't really working any more. As with spam, where each spam message is now different, and as with viruses, where the smarter ones are different for each copy, the more advanced phishing sites now generate multiple sites, not just one site.
PhishTank is fooled by this. It assumes that a "phish site" is a unique URL. The phishing sites are now wise to that trick; many sites generate a new URL for each user, and some even generate a new domain. Current domains in PhishTank include "session-97701.nationalcity.com.userpro.io", "session-300962.nationalcity.com.userpro.io", "session-5489554.nationalcity.com.userpro.tw", "session-2721837.nationalcity.com.directories.io", etc. There are presumably many, many more that no user has reported yet. So the blacklist defense is failing.
It's thus too late for approaches based on manual detection. In the early days of spam, we all reported spam sites to SpamCop, which then blocked them. That stopped working years ago. The same has now happened for phishing sites.
The hard line approach is to implement something that prevents putting in credit card or bank information into forms unless the target page has a solid SSL certificate. (And not one those "Instant SSL - Domain Control Only Validated" cheapo certs that mean nothing, either.) It's getting harder to make even that work, with more and more Javascript processing going on in the browser. The browser may not be able to detect that the user is filling in a form.
We (SiteTruth), of course, are trying to promote the idea that you don't want to deal with a website unless the business behind the website can be clearly identified, so we do have a bias here. Nor do we have all the answers. But from the amount of activity in this area of security in the last month, it's becoming clear that some major tightening-up on business legitimacy on the web is needed.
"On the Internet, no one knows if you're a dog" just isn't good enough any more.
I can't wait for the top 10 'Top 10 Firefox Extension' list.
Did anyone else notice that all of the promoted extensions but the last one seem to be the work of commercial enterprises, and apparently tied in some way to their for-profit motives? Is it possible that the author or security-hacks.com got some perks or quid pro quo for the journalistic promotion of these extensions and the commercial entities behind them?
I'm often too skeptical for my own britches, but that also why I do in fact pay attention to my bank's "sitekey" and why I don't these products to avoid phishing attacks. All but the last one just seem to be trading one form of ignorance - of phishing - for another - of capitalism.
Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.
The "fix" against phising is a better authentication method.
For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.
The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.
Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.
Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...
My security clearance is so high I have to kill myself if I remember I have it...
All of these anti-phishing tools are a waste of time. The real problem is educating users about safe computing practices.
People simply need to learn that you just don't click on a link in an unsolicited email supposedly from your bank, any more than you would deposit your paycheck into a newly opened bank branch in the nasty part of town, with shoddily painted signage and shifty-looking tellers.
98% of people can learn principles of safe computing. The remaining 2% are a lost cause. Instead of coddling people's ignorance, we should focus on education. Crooks are always going to be out there trying to take advantage of people. This problem is not going to go away or be solved by technological safeguards. It is counterproductive to devise and improve ways for people to continue ignorant, careless behaviour, "La la la, click on whatever links I see," download and run this, that and the next thing, rather than teaching them how to be careful about what code they run and where they type their password.
it's a blue bright blue Saturday hey hey
My brain features the Logic subroutine, which prevents me from falling for scams like phishing. This is a killer application; everyone should install it!