Why Phishing Works 293
h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
While ISPs learn to block... (Score:5, Informative)
As bosses would say "It's a win-win!"
In defense of the clueless (Score:2, Informative)
Few have a clue about its tumblers and other doodads and geegaws.
How many understand how a car works? "Yeah, I know how it works, you put the key in and turn it, then you drive away."
A certified Ford mechanic knows about the car's crankshaft, cylinders, pistons, fuel injectors, all the other components and how they're put together as well as you and I know how a PC and TCIP works.
You shouldn't have to know the physics of the expanding gasses in the cylinder driving the pistons (and how the valves work etc) to drive a car.
We, the nerd community, are to blame for failing to deliver something as simple as a web browser that works as easily as a door lock or a car.
And the banking industry itself should be educating the public about phishing. I get tons of mail from my bank telling me about its whiz-bang web based banking, but nary a word about phishing.
How is Average Joe supposed to know this stuff?
As to Taylor, he claims 22 years tech experience, so the man deserves more ridicule than we can possibly heap on him.
Phishing works, no argument but... (Score:2, Informative)
However, with regard to TFA, I have some doubts about their data. First, they use *only* 22 participants, which is a horribly low number. They give no background information of how they chose them. It could have just been 22 of their friends that they could con into playing with some web pages.
Also, there are no controls with regards to the web pages. I didn't see (in the page list) two pages that would look identical and be either spoofed or real. This, to me, would be an important piece of information to support their conclusions. I personally would have had two identical web pages shown with only the browser security indicators changing. This would come a lot closer to showing people either ignore or watch those things.
It's not that I disagree with their findings, it's just it would be a lot more believable with more people and a proper writeup of the makeup of such a group. You can't get a truly random group of people, but with larger numbers you can get closer.
Re:It's Always Going to Work (Score:5, Informative)
supposedly reputable financial institutions.
For example I received an email purporting to be from American Express,
one of the links in it was of the form that showed
https://www.americanexpress.com/messagecenter [americanexpress.com],
however it actually pointed to
http://www65.americanexpress.com/clicktrk/Trackin
i.e It purported to be a secure link, but actually was not.
It piped the request through another (insecure) URL.
I sent it on to the American Expresses Phishing people, and got only an
automatic reply.
Finally I phoned American Express Customer service who assured me that it was real,
on the basis that they did actually send out emails like that. (!!!!)
It showed all the hallmarks of a phishing email, and yet ultimately was genuine.
How I am ever going to explain to Aunt Mary what signs to look out for
in phishing emails, while the real financial institutions send out
stuff like this, I don't know.
You're right, it is a Herculean task.