Dealing with Phishing 168
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
PDF, Not Plugin Link (Score:5, Informative)
Re:Security Skin (Score:5, Informative)
http://office.microsoft.com/en-us/assistance/HA01
Half-azzed study (Score:3, Informative)
So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.
For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.
Re:PDF, Not Plugin Link (Score:5, Informative)
Re:PDF, Not Plugin Link (Score:5, Informative)
Re:it doesnt help when (Score:3, Informative)
Re:Half-azzed study (Score:3, Informative)
In some cases BoA asks you a security question, but that's the same problem with that. Phishing site hits up BoA for the questions, gets the answer from you, and sends it back to BoA to retrive the image.
There is no plugin (Score:3, Informative)
Re:GMail's filters failing? (Score:3, Informative)
Capital One = Big Bad Evil of the financial world (Score:3, Informative)
(If you're curious as to the source of this info, check out Clark Howard's website - if you haven't heard of him, he has a talk radio show and a few books about personal finances)
Just an FYI
"Positive" authentication is not very useful (Score:2, Informative)
Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increasingly "locked down" web browsers, c) web site "reputation", and d) better anti-phishing protection in email services and software.
Companies like Cloudmark leverage a vast and very active user community to almost instantly detect and mitigate new phishing campgaigns. IronKey, founded by the president of the Anti-Phishing Working Group, is developing hardware tokens for authentication. IE7 and Firefox continue to improve their defenses against XSS attacks and the like. And there are good efforts underway to develop URL reputation systems that can help users avoid browsing sites that are dangerous.
Re:PDF, Not Plugin Link (Score:3, Informative)
Here's what she meant (Score:5, Informative)
E.g., let's say that you got your old mom to use Mozilla, so she has _both_ the coloured URL box _and_ the padlock on the status bar as indication that she's indeed at a secure site. I'll assume you've also educated her to carefully read the URL up there.
So noone can fool her now, right? I mean, right? Well, wrong. One attack method they used in that study was fake UI.
So let's say your mom now lands at some www.phishers-r-us.ru site pretending to be her bank. The site doesn't even use SSL or anything. How can that site spoof all those checks both up there in the browser's toolbar and down there on the status bar? Simple. Fake them.
So the site gives you a javascripted popup, requesting a window without those interface elements. But fakes them as
_That_ is the problem. Fake UI fools most users.
So the researcher's idea is basically, "I know, so let's encourage each user to skin their own UI." So let's say your mom has set her Mozilla UI to be brushed blue-hued metal, the colour for HTTPS URLs to be green, and the padlock icon to be replaced by a thumbs up icon. The fake UI site can't know that. So when they show her a page with the UI in the default colours and icons instead of hers, hopefully your mom will know that it's faked UI. It doesn't look like her other browser windows.
Now personally I think the idea isn't that great anyway, since (A) it requires users to actually do that, and I'll bet most will just click on the default theme and be done with it, and (B) because it's working around what I consider a fucking stupid mis-feature. IMHO there's no need to allow browser windows without an URL bar and without a status bar in the first place. In an age where those are the main (and often only) things that can warn you against such attacks, allowing a site to disable them is just stupid. So just disable the option to hide the UI and, voila, suddenly noone can fake that UI any more. It's that simple.
Re:All security features are targets for attack (Score:3, Informative)
Unfortunately, it's the latter. Though they do have several hundred images to choose from.
Plus there's another layer before phishers can retrieve your image based on your login name. If the site doesn't recognize your browser (via a cookie or set of cookies) it will ask a challenge/response question first, *then* it'll show you your chosen image and manually-entered caption. By default it will forget the browser, so if you trust a friend's computer or *shudder* an internet cafe with access to your banking site, you can use it once without it setting that cookie, or you can click a checkbox to have it recognize your browser next time and start with the image+phrase.
Once all that's done, *then* it asks for your password.
Re:Too easy to defeat. (Score:2, Informative)
Re:Here's what she meant (Score:2, Informative)
Of course, you still need to educate users about this feature. The idea that customized themes will help defeat these attacks still holds, though.
Re:Too easy to defeat. (Score:3, Informative)
Or would they? A notice on the top of the site saying that "to improve security, we've currently suspended personalised styles so everyone gets the default one" or "we're currently upgrading the personalised styles (to give you the next generation of smilies
Besides, there's the old adage that the average user will click whatever he or she thinks will let him get his task done quickest. They might think "hmm, the colours have changed" but that'll be quickly followed by "ahh, but there's the box I need to enter my details to log in".
Undoubtedly it'll help a little, but I reckon in the majority of cases colour change =/=> don't use this site.