Dealing with Phishing

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

PDF, Not Plugin Link

[christopherfinke]

Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).

Re:Security Skin

[DrSkwid]

Certain colors have common associations in society, such as red with warning or green with go. Use these color associations to illustrate your point, but proceed with caution, because these associations can differ depending on the nationality of the audience.

http://office.microsoft.com/en-us/assistance/HA010 120721033.aspx [microsoft.com]

Half-azzed study

[Jonboy X]

From TFA:

We conducted a usability study where we showed 22 participants 20 web sites and asked them to determine which ones were fraudulent, and why...Our participant population was highly educated, consisting of staff and students at a university. The minimum level of education was a bachelor's degree. Our population was also more knowledgeable than average, because they were told that spoofed websites were in the test set. They were also more motivated than the average user would be, because their task in the study was to identify websites as legitimate or not.

So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.

For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.

Re:PDF, Not Plugin Link

[aymanh]

This is why I use the TargetAlert [mozilla.org] Firefox extension, it adds icons next to links indicating the files or effects they lead to.

Re:PDF, Not Plugin Link

[aymanh]

By the way, I've just noticed that the version available at Mozilla Add-Ons isn't compatible with Firefox 1.5, however, the one available at the author's homepage [bolinfest.com] is, sorry for that.

Re:it doesnt help when

[MindStalker]

I don't know about you but all my capitalone emails link to email.capitalone.com your getting screwed :)

Re:Half-azzed study

[Zardus]

See, the BoA approach always confused me. By the time you see that picture you've already entered your login ID, and your login ID is all it takes to see that picture. Now, if the phishing site already knows that ID (since there is no picture or anything to prevent you from entering it at this point), why can't the phishing site just hit up BoA for that picture and present it to you?

In some cases BoA asks you a security question, but that's the same problem with that. Phishing site hits up BoA for the questions, gets the answer from you, and sends it back to BoA to retrive the image.

There is no plugin

[lorcha]

It has not yet been released. From TFA:

When do you plan to release the securityskins plugin?

Rachna Dhamija: Currently, we have a prototype of the interface developed in Mozilla XUL, which we are improving based on feedback from our studies. Mozilla turned out to be a good prototyping tool, and allows us to rapidly iterate through interface ideas. A number of organizations have expressed interest in adopting security skins, and we have started development of an extension that can be released to the public. So stay tuned!

Re:GMail's filters failing?

[Penguin Programmer]

Google's filter (like any good spam filter) is adaptive. Spammers/phishers figure out a way to get their stuff through, a bunch of people mark it as spam/phishing and the filter learns that those messages are spam/phishing. You'll probably see the exact same messages hitting your spam box in a couple weeks.

Capital One = Big Bad Evil of the financial world

[MattHawk]

Admittedly off-topic, but you might want to look into ditching any CapitalOne credit cards you have. They've been using a somewhat questionable reporting practice recently of only telling how much you have on your card to the reporting agencies, rather then the amount you have and your maximum. The credit agencies, with only the one number, assumes it to be both your current limit and the amount you're using - in other words, that you're using 100% of your credit. This can really screw your credit score.

(If you're curious as to the source of this info, check out Clark Howard's website - if you haven't heard of him, he has a talk radio show and a few books about personal finances)

Just an FYI :)

"Positive" authentication is not very useful

[ttul]

End users cannot distinguish well between legitimate sites and phishing sites. Adding in sugar such as the date of the user's last login is helpful only as a positive reminder that the user is on the right site. It's better than nothing, but not by a factor of 10.

Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increasingly "locked down" web browsers, c) web site "reputation", and d) better anti-phishing protection in email services and software.

Companies like Cloudmark leverage a vast and very active user community to almost instantly detect and mitigate new phishing campgaigns. IronKey, founded by the president of the Anti-Phishing Working Group, is developing hardware tokens for authentication. IE7 and Firefox continue to improve their defenses against XSS attacks and the like. And there are good efforts underway to develop URL reputation systems that can help users avoid browsing sites that are dangerous.

Re:PDF, Not Plugin Link

[Mister Whirly]

Firefox 1.5.0.4 - works just fine after restarting...

Here's what she meant

[Moraelin]

Lots of people here seem to assume that somehow the skins are for the web site, or overriding CSS elements, or whatever, which is just not the case. What she was talking about with those skins is: fake UI. Nothing more, nothing less.

E.g., let's say that you got your old mom to use Mozilla, so she has _both_ the coloured URL box _and_ the padlock on the status bar as indication that she's indeed at a secure site. I'll assume you've also educated her to carefully read the URL up there.

So noone can fool her now, right? I mean, right? Well, wrong. One attack method they used in that study was fake UI.

So let's say your mom now lands at some www.phishers-r-us.ru site pretending to be her bank. The site doesn't even use SSL or anything. How can that site spoof all those checks both up there in the browser's toolbar and down there on the status bar? Simple. Fake them.

So the site gives you a javascripted popup, requesting a window without those interface elements. But fakes them as .gif images in the page itself. The page is, say, a frame set with three horizontal frames: one at the top, with a faked toolbar and URL bar (with the correct URL of the bank in that .gif, and correctly colour coded as if it were Mozilla saying it's HTTPS), the login page in the middle, and a faked status bar at the bottom (complete with the padlock icon telling you it's secure.)

_That_ is the problem. Fake UI fools most users.

So the researcher's idea is basically, "I know, so let's encourage each user to skin their own UI." So let's say your mom has set her Mozilla UI to be brushed blue-hued metal, the colour for HTTPS URLs to be green, and the padlock icon to be replaced by a thumbs up icon. The fake UI site can't know that. So when they show her a page with the UI in the default colours and icons instead of hers, hopefully your mom will know that it's faked UI. It doesn't look like her other browser windows.

Now personally I think the idea isn't that great anyway, since (A) it requires users to actually do that, and I'll bet most will just click on the default theme and be done with it, and (B) because it's working around what I consider a fucking stupid mis-feature. IMHO there's no need to allow browser windows without an URL bar and without a status bar in the first place. In an age where those are the main (and often only) things that can warn you against such attacks, allowing a site to disable them is just stupid. So just disable the option to hide the UI and, voila, suddenly noone can fake that UI any more. It's that simple.

Re:All security features are targets for attack

[Kelson]

Do they let you upload your own picture, or do you select from a list of what they provide?

Unfortunately, it's the latter. Though they do have several hundred images to choose from.

Plus there's another layer before phishers can retrieve your image based on your login name. If the site doesn't recognize your browser (via a cookie or set of cookies) it will ask a challenge/response question first, *then* it'll show you your chosen image and manually-entered caption. By default it will forget the browser, so if you trust a friend's computer or *shudder* an internet cafe with access to your banking site, you can use it once without it setting that cookie, or you can click a checkbox to have it recognize your browser next time and start with the image+phrase.

Once all that's done, *then* it asks for your password.

Re:Too easy to defeat.

[SheeEttin]

We're sorry, but we've lost your site customization settings. You can go to Preferences to re-set them. In other words, yeah right.

Re:Here's what she meant

[stony3k]

Actually, in Firefox, you cannot disable the bar at the bottom via javascript, and for secure sites, it shows the domain name (like addons.mozilla.org). This is enough to defeat phishing attacks as described in the parent post.

Of course, you still need to educate users about this feature. The idea that customized themes will help defeat these attacks still holds, though.

Re:Too easy to defeat.

[dtsazza]

The user would go to the phishing site and hopefully realize something's wrong when everything looks different.

Or would they? A notice on the top of the site saying that "to improve security, we've currently suspended personalised styles so everyone gets the default one" or "we're currently upgrading the personalised styles (to give you the next generation of smilies ;))" (or something like that) would probably take a lot of people in. I mean, look at some of the scams going round today - "update your security details", "your email address has won an email lottery", etc. I'm sure the hackers that host these sites could come up with some plausible, techie (and thus impervious to most people) 'excuse' for changing the colours.

Besides, there's the old adage that the average user will click whatever he or she thinks will let him get his task done quickest. They might think "hmm, the colours have changed" but that'll be quickly followed by "ahh, but there's the box I need to enter my details to log in".

Undoubtedly it'll help a little, but I reckon in the majority of cases colour change =/=> don't use this site.