Watered Down Phishing Protection In IPhone OS 3.1?

← Back to Stories (view on slashdot.org)

Watered Down Phishing Protection In IPhone OS 3.1?

Posted by CmdrTaco on Thursday September 10, 2009 @03:27AM from the i-feel-better-already dept.

CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."

19 of 98 comments (clear)

Min score:

Reason:

Sort:

Far Less than OS X by neonprimetime · 2009-09-10 03:41 · Score: 4, Insightful

It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all.

the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.

now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that
1. Re:Far Less than OS X by Hurricane78 · 2009-09-10 03:55 · Score: 4, Insightful
  
  the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.
  There, fixed that for ya!
  *ducks*
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
2. Re:Far Less than OS X by Monkeedude1212 · 2009-09-10 04:54 · Score: 2, Insightful
  
  The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.
  If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.
  I'd say Cross Server Scripting has gotten the best of at least half my friends. Fortunately most of them didn't have any valuable information.
3. Re:Far Less than OS X by MobileTatsu-NJG · 2009-09-10 05:36 · Score: 2, Funny
  
  To be fair, do any phones offer anti-phishing on the device?
  Do users of any other phone need it?
  Oh, come on. Web browsing on other phones isn't that bad.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Slight catch in that last sentence by The+Ancients · 2009-09-10 03:50 · Score: 2, Insightful

FTA:
If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.
If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...

--
The Mothership
I've got built-in phishing protection. by jtownatpunk.net · 2009-09-10 03:57 · Score: 5, Insightful

It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
1. Re:I've got built-in phishing protection. by bFusion · 2009-09-10 04:06 · Score: 4, Funny
  
  If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.
2. Re:I've got built-in phishing protection. by stokessd · 2009-09-10 04:14 · Score: 3, Informative
  
  It's not frickin' rocket science.
  Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
  The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").
  Sheldon
3. Re:I've got built-in phishing protection. by Tom · 2009-09-10 04:23 · Score: 3, Insightful
  
  Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
  Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
4. Re:I've got built-in phishing protection. by Anonymous Coward · 2009-09-10 04:27 · Score: 2, Funny
  
  You think making people less stupid is easier??
  Please excuse me while I clean up the drink I just snarfed all over my laptop!
5. Re:I've got built-in phishing protection. by sakdoctor · 2009-09-10 04:30 · Score: 5, Funny
  
  My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
  It really works, and it's available to buy TODAY!
  http://shop1337.youscam.ru/darwin/get_smart_stupid
6. Re:I've got built-in phishing protection. by greyline · 2009-09-10 04:52 · Score: 2, Funny
  
  I think so many people tried to visit your site, it went down. Can I just post my information here for your product?
7. Re:I've got built-in phishing protection. by cadeon · 2009-09-10 04:56 · Score: 4, Funny
  
  we should make people less stupid.
  Your post advocates a
  ( ) technical ( ) legislative ( ) market-based (X) demographic
  approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
  ( ) Phishers can easily use it to harvest email addresses
  ( ) Mailing lists and other legitimate email uses would be affected
  ( ) No one will be able to find the guy or collect the money
  (X) It is defenseless against brute force attacks
  (X) It will stop phishing for two weeks and then we'll be stuck with it
  (X) Users don't want to be educated
  (X) Microsoft will not put up with it
  ( ) The police will not put up with it
  ( ) Requires too much cooperation from phishers
  (X) Requires immediate total cooperation from everybody at once
  ( ) Many email users cannot afford to lose business or alienate potential employers
  Specifically, your plan fails to account for
  ( ) Laws expressly prohibiting it
  (X) Lack of centrally controlling authority for information
  ( ) Open relays in foreign countries
  ( ) Ease of searching tiny alphanumeric address space of all email addresses
  (X) Asshats
  ( ) Jurisdictional problems
  ( ) Unpopularity of weird new taxes
  ( ) Public reluctance to accept weird new forms of money
  ( ) Huge existing software investment in SMTP
  ( ) Susceptibility of protocols other than SMTP to attack
  ( ) Willingness of users to install OS patches received by email
  ( ) Armies of worm riddled broadband-connected Windows boxes
  ( ) Eternal arms race involved in all filtering approaches
  (X) Extreme profitability of phishing
  ( ) Joe jobs and/or identity theft
  (X) Technically illiterate politicians
  (X) Extreme stupidity on the part of people who do business with spammers
  (X) Dishonesty on the part of spammers themselves
  ( ) Bandwidth costs that are unaffected by client filtering
  (X) Outlook
  and the following philosophical objections may also apply:
  (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
  (X) Accessibility
  ( ) SMTP headers should not be the subject of legislation
  ( ) Blacklists suck
  ( ) Whitelists suck
  ( ) We should be able to talk about Viagra without being censored
  ( ) Countermeasures should not involve wire fraud or credit card fraud
  ( ) Countermeasures should not involve sabotage of public networks
  (X) Countermeasures must work if phased in gradually
  ( ) Sending email should be free
  (X) Why should we have to trust you and your information?
  ( ) Incompatiblity with open source or open source licenses
  ( ) Feel-good measures do nothing to solve the problem
  ( ) Temporary/one-time email addresses are cumbersome
  ( ) I don't want the government reading my email
  (X) Killing them that way is not slow and painful enough
  Furthermore, this is what I think about you:
  ( ) Sorry dude, but I don't think it would work.
  (X) This is a stupid idea, and you're a stupid person for suggesting it.
  ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
8. Re:I've got built-in phishing protection. by MobileTatsu-NJG · 2009-09-10 05:38 · Score: 2, Insightful
  
  Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
  You can make people less ignorant, but there is no way to make them less stupid.
  You know, it's funny, chicks look at our fashion sense the same way we look at their understanding of the internet.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
9. Re:I've got built-in phishing protection. by johndiii · 2009-09-10 05:55 · Score: 2, Insightful
  
  I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.
  A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-producing crashes per vehicle mile. Even then, a conclusion might be slippery, because motorcycles do not tend to get into minor accidents like parking lot fender-benders, but even a minor motorcycle accident is more likely to produce an injury than a passenger car accident.
  
  --
  Floating face-down in a river of regret...and thoughts of you...
10. Re:I've got built-in phishing protection. by amoeba1911 · 2009-09-10 07:07 · Score: 2, Insightful
  
  The day you invent anti-stupid technology, the stupid will get stupider.
I RTFA by mcgrew · 2009-09-10 04:05 · Score: 2, Insightful

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

--
Free Martian Whores!
Re:Snap judgements by Monkeedude1212 · 2009-09-10 04:57 · Score: 3, Informative

He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.
He didn't do his research. by nneonneo · 2009-09-10 05:44 · Score: 4, Interesting

I followed the same steps as outlined in TFA: download the verified online phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google.

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.