Watered Down Phishing Protection In IPhone OS 3.1?

← Back to Stories (view on slashdot.org)

Watered Down Phishing Protection In IPhone OS 3.1?

Posted by CmdrTaco on Thursday September 10, 2009 @03:27AM from the i-feel-better-already dept.

CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."

10 of 98 comments (clear)

Min score:

Reason:

Sort:

Far Less than OS X by neonprimetime · 2009-09-10 03:41 · Score: 4, Insightful

It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all.

the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.

now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that
1. Re:Far Less than OS X by Hurricane78 · 2009-09-10 03:55 · Score: 4, Insightful
  
  the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.
  There, fixed that for ya!
  *ducks*
  
  --
  Any sufficiently advanced intelligence is indistinguishable from stupidity.
I've got built-in phishing protection. by jtownatpunk.net · 2009-09-10 03:57 · Score: 5, Insightful

It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.
Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
1. Re:I've got built-in phishing protection. by bFusion · 2009-09-10 04:06 · Score: 4, Funny
  
  If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.
2. Re:I've got built-in phishing protection. by stokessd · 2009-09-10 04:14 · Score: 3, Informative
  
  It's not frickin' rocket science.
  Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
  The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").
  Sheldon
3. Re:I've got built-in phishing protection. by Tom · 2009-09-10 04:23 · Score: 3, Insightful
  
  Instead of putting all this effort into anti-phishing technology, we should make people less stupid.
  Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
4. Re:I've got built-in phishing protection. by sakdoctor · 2009-09-10 04:30 · Score: 5, Funny
  
  My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
  It really works, and it's available to buy TODAY!
  http://shop1337.youscam.ru/darwin/get_smart_stupid
5. Re:I've got built-in phishing protection. by cadeon · 2009-09-10 04:56 · Score: 4, Funny
  
  we should make people less stupid.
  Your post advocates a
  ( ) technical ( ) legislative ( ) market-based (X) demographic
  approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
  ( ) Phishers can easily use it to harvest email addresses
  ( ) Mailing lists and other legitimate email uses would be affected
  ( ) No one will be able to find the guy or collect the money
  (X) It is defenseless against brute force attacks
  (X) It will stop phishing for two weeks and then we'll be stuck with it
  (X) Users don't want to be educated
  (X) Microsoft will not put up with it
  ( ) The police will not put up with it
  ( ) Requires too much cooperation from phishers
  (X) Requires immediate total cooperation from everybody at once
  ( ) Many email users cannot afford to lose business or alienate potential employers
  Specifically, your plan fails to account for
  ( ) Laws expressly prohibiting it
  (X) Lack of centrally controlling authority for information
  ( ) Open relays in foreign countries
  ( ) Ease of searching tiny alphanumeric address space of all email addresses
  (X) Asshats
  ( ) Jurisdictional problems
  ( ) Unpopularity of weird new taxes
  ( ) Public reluctance to accept weird new forms of money
  ( ) Huge existing software investment in SMTP
  ( ) Susceptibility of protocols other than SMTP to attack
  ( ) Willingness of users to install OS patches received by email
  ( ) Armies of worm riddled broadband-connected Windows boxes
  ( ) Eternal arms race involved in all filtering approaches
  (X) Extreme profitability of phishing
  ( ) Joe jobs and/or identity theft
  (X) Technically illiterate politicians
  (X) Extreme stupidity on the part of people who do business with spammers
  (X) Dishonesty on the part of spammers themselves
  ( ) Bandwidth costs that are unaffected by client filtering
  (X) Outlook
  and the following philosophical objections may also apply:
  (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
  (X) Accessibility
  ( ) SMTP headers should not be the subject of legislation
  ( ) Blacklists suck
  ( ) Whitelists suck
  ( ) We should be able to talk about Viagra without being censored
  ( ) Countermeasures should not involve wire fraud or credit card fraud
  ( ) Countermeasures should not involve sabotage of public networks
  (X) Countermeasures must work if phased in gradually
  ( ) Sending email should be free
  (X) Why should we have to trust you and your information?
  ( ) Incompatiblity with open source or open source licenses
  ( ) Feel-good measures do nothing to solve the problem
  ( ) Temporary/one-time email addresses are cumbersome
  ( ) I don't want the government reading my email
  (X) Killing them that way is not slow and painful enough
  Furthermore, this is what I think about you:
  ( ) Sorry dude, but I don't think it would work.
  (X) This is a stupid idea, and you're a stupid person for suggesting it.
  ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Re:Snap judgements by Monkeedude1212 · 2009-09-10 04:57 · Score: 3, Informative

He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.
He didn't do his research. by nneonneo · 2009-09-10 05:44 · Score: 4, Interesting

I followed the same steps as outlined in TFA: download the verified online phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google.

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.