Why Phishing Works 293
h0neyp0t writes "Harvard and Berkeley have released a study that shows why phishing attacks work (pdf). When asked if a phishing site was legit or a spoof, 23% of users use only the content of the website to make the decision! The majority of users ignore the address and SSL indicators in the browser. Some users think that favicons and lock icons in HTML are more important indicators. The paper hints that the proposed IE7 security indicators and multi-colored address bar will also suffer a similar fate. This study is brought to you by the people who developed the security skins Firefox extension."
Short answer (Score:5, Insightful)
Social engineering anyone? (Score:5, Insightful)
And this might be optimistic (Score:5, Insightful)
Humanity is doomed.
Not surprising (Score:5, Insightful)
It's like P.T. Barnum said, (Score:5, Insightful)
Don't get me wrong, I applaud these researchers and all other approaches to making the web a safer place, but in the end, at some point you have to trust that the user is going to take resposibility for their actions. The best we can do is bring the percentages down. The problem is it is so cheap to set up a phishing web site, that even if only one in several thousand potential targets fall for it, that's usually enough to ensure a profit.
I don't know which upsets me more... (Score:3, Insightful)
common sense, people! (Score:2, Insightful)
Geez, i would feel sorry for these duped people, but it's getting harder and harder to.
It's Always Going to Work (Score:5, Insightful)
To disrupt or completely stop this from happening is currently an impossible Herculean task.
Even netting one person can result in thousands of dollars worth of damages. If one in every one million phishing works, of course they'll keep doing it.
Re:Short answer (Score:5, Insightful)
In the end, people may end up needing strong authentication tokens. When you go to the bank, you'll present your token so they know it's you. When you sign up for a new account, you'll get that account added to your token. And, when you hit a phishing web site, your token will light up and say "UNKNOWN WEB SITE".
And it could work both ways. If you use an ATM in a seedy bar, you could even ask your token to identify the legitimacy of the ATM.
The disadvantage, of course, is either a plethora of tokens (one per account) or every Tom, Dick and Harry shop wanting to use your token for marketing and tracking purposes.
Why phishing works (Score:1, Insightful)
Including the ones who needed to do a study to figure that out.
Re:Short answer (Score:4, Insightful)
I'd agree on the concept, but the actual cause is different. The actual reason is because people believe that the word gullible is not in the dictionary.
Recently, there was an "employment agency" that sent out paper forms to applicants which were to be filled out and mailed in with a $20 cheque for a processing fee. The forms included sections for the Social Insurance Number, Driver's License number, DOB, mother's Maiden name, and other information not normally used by employers.
Their intent was to obtain credit cards from banks with the applicant's personal information - hence, they used four different company names. The good news was that they were raided.
Re:Why phishing works (Score:3, Insightful)
It works because a lot of people are idiots.
Not idiots, but ignorant people who don't care and don't want to know how the technology works that they use.
Tux2000
The problem goes right down to the SSL layer (Score:5, Insightful)
For Anti-Phishing to work it needs a UI with support right down into the SSL layer.
Currently it's next to impossible to diferentiate things on the web. It's the great equalizer, and as we are finding, it makes things *too* equal. You are on equal footing with a bank when trying to convince people to enter finantial information. We need a bit more structure, a few more checks and balances.
Nonsense (Score:2, Insightful)
Con-artists are older than recorded time. Snake-oil salesmen, crooked used-car lots, (snail) mail scams and their ilk are likely at least as prevalent even in our quasi-"Information Age".
How many educated people have bought a lemon? I've known otherwise educated, extremely intelligent college-educated (students and grads alike) who've done this. Perhaps everyone should be fully educated about the hazards of auto-buying, phishing web-sites and maybe get a medical degree for proper evaluation of physicians while they're at it.
The answer is not pamphlets and FAQs. If anything these "easy answers" only propogate the problem of people being too damn trusting. Seek your own understanding.
Re:Short answer (Score:4, Insightful)
In the paper, one guy was very paranoid. He opened a second browser window, and typed the site name by hand, and did comparisons. Even he got one wrong. Phishing is a very, very hard problem to solve.
I think the point is that, since you can copy verbatim the HTML of a web site, it is trivial to create an identical copy of any site. So, trying to look for similarities and differences between the sites is a pointless exercise.
The real way to avoid being stung by phishing scams is to know that emails from anyone asking for personal or private information, passwords, credit card numbers etc. are almost certainly fake.
Re:DRTFA (Score:1, Insightful)
..and because most banks and such organizations still don't make any effort to authenticate their emails. That would go a long way towards making people more suspicious towards emails without a little key icon in the mailreader, asking them for their firstborn in exchange for continued onlinebanking availablity or such..
I don't get it, it's well inside major organization's capabilities to push for easily usable GPG or S/MIME support in email clients and webmail interfaces, yet they don't seem to be interested. Are they actually interested in having their customers spammed?
Re:Why phishing works (Score:3, Insightful)
Otherwise known as "idiots."
I mean, really. If you fall into that category, what distinguishes you from a monkey pressing a lever?
On a long enough timeline of exposure to different situations in life we are all idiots by your criteria, instead of just being ignorant of a particular situation. Idiot has a connotation of being mentally retarded and unable to improve where being ignorant is a lack of education or knowledge.
I would not call you an idiot for being unable to descern the two terms; just ignorant - if you can't grasp this after the knowledge parted with you then you may well be an idiot. Hope this helps!
Re:I thought I did once... (Score:5, Insightful)
It's a complete failure of the financial institution to realize they are creating situations where it is incredibly easy to teach bad habits.
They should not be sending emails with links in them at all. (Better yet, no emails not already contained in the online banking web site where the user is already logged in.)
So a HUGE portion of this problem is there _are_ legit emails that go out where there should be NONE.
It's a little like teaching your cute little 14 year old girl with the budding boobies that all guys really do love and respect them and are all christians and tell the truth especially if they are 40 or older and have their own van. Yeah it may be true most of the time but the concequences sure are high.
A little paranoia is a GOOD THING.
A bank expecting the average user to differentiate between good emails and bad emails is just stupid, stupid, stupid. They should KNOW better. There should be flat laws against it and the problem would go away overnight.
Re:The Blind Squirrel (Score:5, Insightful)
I try to ask as few questions as possible. Users often don't want options, just action, and the ability to undo the action after it has happened.
Re:The Blind Squirrel (Score:5, Insightful)
When I ask why, they always respond that they're not sure what to do.
When presented with a Yes/No/Cancel with 3 sentences in it, they just press enter without reading, because it's either too complicated or because it doesn't seem important. (It's just a popup box that asks a question I don't understand... but if I hit enter it goes away and I don't have to decide).
Incidentally, I partially blame all those InstallShield things that have the front screen with 3 paragraphs of text and a next button when there's really no meaningful information on the page, and nothing to do except click next to start installing the program (or cancel if you ran the installer by mistake)
From the UI side, however, I think that while OK boxes and Yes/No boxes are great, I think that OK/Cancel and Yes/No/Cancel boxes are heavily overused... If you want to ask a question where Yes/No isn't the answer, you should probably roll your own so that the buttons can be *descriptive*
Re:In defense of the clueless (Score:2, Insightful)
General Motors doesn't have a "help line" for people who don't know how to drive, because people don't buy cars like they buy computers -- but imagine if they did . . .
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "I got in my car and closed the door, and nothing happened!"
HELPLINE: "Did you put the key in the ignition slot and turn it?"
CUSTOMER: "What's an ignition?"
HELPLINE: "It's a starter motor that draws current from your battery and turns over the engine."
CUSTOMER: "Ignition? Motor? Battery? Engine? How come I have to know all of these technical terms just to use my car?"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "My car ran fine for a week, and now it won't go anywhere!"
HELPLINE: "Is the gas tank empty?"
CUSTOMER: "Huh? How do I know?"
HELPLINE: "There's a little guage on the front panel, with a needle, and markings from 'E' to 'F.' Where is the needle pointing?"
CUSTOMER: "It's pointing to 'E.' What does that mean?"
HELPLINE: "It means that you have to visit a gasoline vendor, and purchase some more gasoline. You can install it yourself, or pay the vendor to install it for you."
CUSTOMER: "What!? I paid $12,000 for this car! Now you tell me that I have to keep buying more components? I want a car that comes with everything built in!"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Your car sucks!"
HELPLINE: "What's wrong?"
CUSTOMER: "It crashed, that's what went wrong!"
HELPLINE: "What were you doing?"
CUSTOMER: "I wanted to run faster, so I pushed the accelerator pedal all the way to the floor. It worked for a while, and then it crashed -- and now it won't start!"
HELPLINE: "It's your responsibility if you misuse the product. What do you expect us to do about it?"
CUSTOMER: "I want you to send me one of the latest versions that doesn't crash anymore!"
HELPLINE: "General Motors Helpline, how can I help you?"
CUSTOMER: "Hi! I just bought my first car, and I chose your car because it has automatic transmission, cruise control, power steering, power brakes, and power door locks."
HELPLINE: "Thanks for buying our car. How can I help you?"
CUSTOMER: "How do I work it?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "Do I know how to what?"
HELPLINE: "Do you know how to drive?"
CUSTOMER: "I'm not a technical person! I just want to go places in my car!"
Re:Nonsense (Score:3, Insightful)
Phishing is a whole new level. Crooks have instant access to *millions* of targets. Email is free. Bandwidth is cheap (or free, if you have a zombie mailing for you. And it's easy to register at offshore hosting providers, making the odds of ever being prosecuted minimal.
Take this with the knowledge that most people believe *everything* they hear on the internet if the source sounds authentic enough. I can't count the number 'urban legend' emails I get every week from friends that have been forwarded dozens of times to hundreds of people.
I fear that we have entered an "International Golden age of Fraud". It isn't going to go away.
Re:Short answer (Score:3, Insightful)
Way OT now, but when I was in high school, an A was 86%, and in math and most sciences, homework counted for 10% of my grade. I was so cocky I was able to still get an A without doing any homework.
Fucked me up in University though haha...
Re:Short answer (Score:1, Insightful)
Back in 1993, when my parents first got us an AOL account, I encountered IM phishers rather quickly. I didn't know what to do - they were saying there was a problem with the account, and they needed the password. I didn't know my password - my parents typed it in for me to regulate my time on the Internet. I semi-freaked out and called my mom in. And she of course didn't know any better, either, and she gave out my account's password.
We had been hooked.
Luckily, my account was not the primary account (or even a master account), and they couldn't get any billing information over the phone or anything else.
Of course, all of this was 13 years ago, before phishing was a major issue, and certainly before the sophistication of today had arisen. But the point is that there is a certain assumption that everyone who gains access to the Internet is instantly tech-savvy when that's not the case.
Slashdot people need to educate other people about being safe on the Internet, and not just on Slashdot or on forums. You need to explain to your parents, to your siblings, your friends, your co-workers - you can not assume they know anything about password security, file permissions, or any of the other "web basics." You must drill them on it constantly, ask them if they've received anything suspicious lately, send them as many (valid) warnings about viruses and phishing attempts as you can.
You have to tell the people who trust you to trust what you say, and make no exceptions. That's the only way to prevent this sort of security: stop it among the people you can get to listen to you. Educate them, and tell them to educate other people. Security needs to be passed around like a meme.
Re:The Blind Squirrel (Score:4, Insightful)
The solution for that is to always make a "save" choice per default, and then allow the user to change the choice with a nonmodal, nonblocking dialog.
If the user does not want to change anything, no action is required.
Like in firefox
"this site requires additional addons, click here to install them" displayed on top of the page (and not in a dialog box).
Re:Short answer (Score:3, Insightful)
Phishers encounter an incredibly favorable ecosystem out there, with a high density of ignorant fools with credit cards, many of them quite ready to shell out money for herbal viagra, or to help the niece of Charles Taylor get her fortune out of Nepal. No wonder phishers strive like this.
(Yeah, I know it's not Nepal)