Dealing with Phishing 168
Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla).
She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
PDF, Not Plugin Link (Score:5, Informative)
Re:PDF, Not Plugin Link (Score:5, Informative)
Re:PDF, Not Plugin Link (Score:5, Informative)
Re:PDF, Not Plugin Link (Score:2)
Re:PDF, Not Plugin Link (Score:2)
Re:PDF, Not Plugin Link (Score:3, Informative)
Re:PDF, Not Plugin Link (Score:3, Interesting)
I didn't see it the first time I reset firefox. I played with some of the settings, restarted Firefox again and it was working.
But after getting it working, it is a pretty neat addin.
Re:PDF, Not Plugin Link (Score:2)
Actually, if that's the fix, now that I think of it, it wouldn't be the first time. Greasemonkey didn't work until after two restarts.
There is no plugin (Score:3, Informative)
Unpredictable (Score:5, Insightful)
This will be the key when designing sites in the future.
Re:Unpredictable (Score:5, Funny)
(Of course, no one will ever be able to get anything done, but the geek factor would be impressive if you could actually make a 'musical protocols' plan work...)
Re:Unpredictable (Score:3, Funny)
Why does this remind me of FaceXpaces?
Re:Unpredictable (Score:2)
Re:Unpredictable (Score:3, Funny)
Can I pay you to never say that word again?
Re:Unpredictable (Score:2)
You mean sceneagers?
Of course you can pay me never ever to mention sceneagers again.
Lemme see...
1. Put sceneagers in your sig.
2. Demand money to remove them.
3. ??? (Obligatory)
4. Profit!!11threepluseight
Better than the bunny.
Re:Unpredictable (Score:2, Interesting)
Re:Unpredictable (Score:3, Interesting)
Re: (Score:2)
Re:Unpredictable (Score:3)
Yeah, you've seen examples of this before. If you're a Linux or Mac user, I'm sure you've seen pop-up windows or advertisements that feature the default Microsoft XP blue window manager colors with the red X for 'closing' the Window (which is just like a window.close statement)...
Re:Too easy to defeat. (Score:2, Insightful)
Re:Too easy to defeat. (Score:4, Insightful)
Re:Too easy to defeat. (Score:2, Informative)
Re:Too easy to defeat. (Score:3, Informative)
Or would they? A notice on the top of the site saying that "to improve security, we've currently suspended personalised styles so everyone gets the default one" or "we're currently upgrading the personalised styles (to give you the next generation of smilies ;))" (or something like that) would probably take a lot of people in. I mean, look at some of the scams going round today - "update your
Here's what she meant (Score:5, Informative)
E.g., let's say that you got your old mom to use Mozilla, so she has _both_ the coloured URL box _and_ the padlock on the status bar as indication that she's indeed at a secure site. I'll assume you've also educated her to carefully read the URL up there.
So noone can fool her now, right? I mean, right? Well, wrong. One attack method they used in that study was fake UI.
So let's say your mom now lands at some www.phishers-r-us.ru site pretending to be her bank. The site doesn't even use SSL or anything. How can that site spoof all those checks both up there in the browser's toolbar and down there on the status bar? Simple. Fake them.
So the site gives you a javascripted popup, requesting a window without those interface elements. But fakes them as
_That_ is the problem. Fake UI fools most users.
So the researcher's idea is basically, "I know, so let's encourage each user to skin their own UI." So let's say your mom has set her Mozilla UI to be brushed blue-hued metal, the colour for HTTPS URLs to be green, and the padlock icon to be replaced by a thumbs up icon. The fake UI site can't know that. So when they show her a page with the UI in the default colours and icons instead of hers, hopefully your mom will know that it's faked UI. It doesn't look like her other browser windows.
Now personally I think the idea isn't that great anyway, since (A) it requires users to actually do that, and I'll bet most will just click on the default theme and be done with it, and (B) because it's working around what I consider a fucking stupid mis-feature. IMHO there's no need to allow browser windows without an URL bar and without a status bar in the first place. In an age where those are the main (and often only) things that can warn you against such attacks, allowing a site to disable them is just stupid. So just disable the option to hide the UI and, voila, suddenly noone can fake that UI any more. It's that simple.
Re:Too easy to defeat. (Score:2)
That's silly. There are perfectly reasonable means to defeat phishing already available. [mozilla.org] All that's required is a trusted path to a trusted component which verifies one's relationship to the site (in other words, a visible section of screen that the phisher can't alter
Where to draw the line on user ignorance? (Score:2, Funny)
For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors", since logically only "female connectors" should work anyway. Now it
Re:Where to draw the line on user ignorance? (Score:3, Insightful)
Re:Where to draw the line on user ignorance? (Score:5, Insightful)
To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."
That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.
Re:Where to draw the line on user ignorance? (Score:5, Funny)
Greeks. You're thinking Greeks and boys.
Ancient Greeks that is, you know Sparta and catamites and all that. Your average modern Greek is a fairly religious fellow who frowns on that sort of thing (at least in public, unless there are no women left in the bar at closing time.)
The More You Know(tm)
Re:Where to draw the line on user ignorance? (Score:2)
Re:Where to draw the line on user ignorance? (Score:2)
For every one who really wants to know, there are a hundred who don't care/wouldn't understand anyway.
Re:Where to draw the line on user ignorance? (Score:2)
The line between common sense lies somewhere between here and LA County [wikipedia.org].
I'm just saying that with diversity industry going b
Re:Where to draw the line on user ignorance? (Score:5, Funny)
Not that theres anything wrong with that...
Security Skin (Score:3, Interesting)
Re:Security Skin (Score:5, Informative)
http://office.microsoft.com/en-us/assistance/HA01
Colors in UI (Score:2)
it doesnt help when (Score:5, Interesting)
Re:it doesnt help when (Score:5, Interesting)
And this, kids, is why you should never outsource your email.
In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.
(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)
The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.
I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.
Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.
Re:it doesnt help when (Score:3, Informative)
Re:it doesnt help when (Score:2)
Re:it doesnt help when (Score:2)
The marketing dept. gets e-mail designs from spam (Score:4, Funny)
I swear that some marketing departments get their e-mail designs from looking at spam. I've have seen some legit corporate e-mails that look so close to previous phishing spam that you would think that they did it on purpose.
The only explanation that I can think of is that they see the phishing spam e-mail, think that it's from their own company, and then design new e-mails to look the same.
Doubt it? We're talking about the marketing department....
Capital One = Big Bad Evil of the financial world (Score:3, Informative)
(If
Re:it doesnt help when (Score:2)
But really banks have been compromising customer security to maximize profits for years. For instance, banks will license thier logo to third parties for advertise
Drive-by-downloads (Score:3, Interesting)
Mozilla, take note: (Score:5, Insightful)
Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!
The more you think you know... (Score:4, Interesting)
The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?
Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.
GMail's filters failing? (Score:5, Interesting)
Is google getting worse or are they getting better?
Re:GMail's filters failing? (Score:3, Informative)
Not really going to work (Score:5, Insightful)
The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.
Re:Not really going to work (Score:2)
The problem is that people are allowed to control a dangerous vehicle in public spaces without any form of training. Ineffective as they are, driving tests at least ensure that people
Bad analogy (Score:3, Interesting)
Re:Bad analogy (Score:2)
Re:Bad analogy (Score:2)
Re:Bad analogy (Score:2)
LightStep is a bad comparison (putting Linux on an ipod?). The right comparisons are ipod
socks, windows themes and color schemes (or the screensavers, etc. that they alreay listed).
Half-azzed study (Score:3, Informative)
So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.
For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.
Re:Half-azzed study (Score:3, Informative)
In some cases BoA asks you a security question, but that's the same problem with that. Phishing site hits up BoA for the quest
Re:Half-azzed study (Score:3, Insightful)
Re:Half-azzed study (Score:2)
Re:Half-azzed study (Score:3, Interesting)
BoA's servers haven't been touched yet, just the phisher's. Once the phisher recieves this info, they make a query to BoA's servers and input the info that you've given them (the username and state). BoA sees that you're logging in from a n
All security features are targets for attack (Score:2)
Do they let you upload your own picture, or do you select from a list of what they provide? If the latter, then the phishers know what the stock photos are. Say there are twenty of them. The phisher picks one. He may have eliminated 95% of the p
Re:All security features are targets for attack (Score:3, Informative)
Unfortunately, it's the latter. Though they do have several hundred images to choose from.
Plus there's another layer before phishers can retrieve your image based on your login name. If the site doesn't recognize your browser (via a cookie or set of cookies) it will ask a challenge/response question first, *then* it'll show you your chosen image and manually-entered caption. By default it will forget the browser, s
Re:Half-azzed study (Score:2)
Personalization will only help so much (Score:5, Insightful)
In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.
Re:Personalization will only help so much (Score:2, Insightful)
When someone goes fishin
What bothers me is... (Score:5, Insightful)
If we are, why are we not hearing about it?
I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.
Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?
??
Re:What bothers me is... (Score:2)
Breaking some knees might be more effective. Why? The Internet is the equivalant of the Wild West. Anything goes. Laws are a very sticky thing where virtual territory is concerned. Since the Internet is a vast largely unregualted affair, getting laws in action don't do much since there isn't a white suited sherriff with an ivory handled Colt walking around keeping the bad guys in line.
But then again, we all know what happened when someone tried to take the law in their own hands. Look at Blue Securi
Re:What bothers me is... (Score:2)
or tell the FCC that they're sending out pictures of boobies...
that'll get something done about it.
Obstacle to legal proceedings (Score:2)
Re:What bothers me is... (Score:3, Interesting)
By and large, these people are the mob. Russian organised crime is into spam and phishing in a big way, and several of the other groups are getting in on the action. And it's no easier to shut them down today than it was a hundred years ago. They're using bribery, blackmail, pressure on the government from their semi-legitimate sides, and all the other usual tricks. When some of them finally do get arrested, they're always sacrificial pa
Would skinning really help? (Score:2)
Oh, duh (Score:2)
Haha, "why phishing works" (Score:4, Insightful)
Smarter than your average bear (Score:3, Insightful)
Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.
There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."
Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.
Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.
Isn't it curious (Score:2)
IP-based Secure connections? (Score:3, Interesting)
Customization vs need (Score:2)
I find it interesting that those examples grew from technological necessity. We used to need screen savers because our ancient monitors would burn in the image otherwise. We needed changeable ringtones because everyone in a crowd would have to check their phone if one was heard ringing. Some of u
"Positive" authentication is not very useful (Score:2, Informative)
Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increas
Collaborative filtering works much better (Score:2, Interesting)
Educate, educate, and try to solve the issue (Score:2)
I think it is a interesting to see that researchers are trying to find ways to get Joe/Jane user to recognize that WYSINWYG with every website they visit. So maybe there are a few flaws in these folks' ideas... but they're trying to get education out (at least, on some level).
Educate yourself about the changing face of phishing. Help other folks by helping them understand phishing. Don't hesitate to try to find a way to reduce phishing.
Report phishing... if you can report it to the
Spoof Proof? (Score:4, Insightful)
We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.
Why no S/MIME? (Score:3, Interesting)
Mozilla Thunderbird does S/MIME. Mac OS X Mail does S/MIME. Lotus Notes does S/MIME. Even Microsoft Exchange does S/MIME.
Sure, it wouldn't solve the problem, but it would at least give clueful users a dead easy way to see if the e-mail was really likely to be from their bank.
While we're on the subject, when is Gmail going to support S/MIME?
Obvious, simple anti-phishing solution? (Score:5, Interesting)
When you create an account on a web site (your bank, ebay, paypal, your broker, whatever), you provide them with a username, password, and a whole bunch of information... why not have a field for "reverse-authentication string"?
Then every email they send to you, they include that string in the subject line.
e.g., if my reverse-auth string was "turkey", the email subject would say "Important message for user Jester99 from CapitalOne -- auth: turkey"
Then I know it's not a phish, because for phishers to have that word, they'd already have CapitalOne's database and I'd already be screwed. (And the odds of them accurately guessing your string are rather small, if you pick anything reasonably ambiguous and not "password") All you have to do is simply not click links that don't have the proper auth word in the subject.
Re:Obvious, simple anti-phishing solution? (Score:2)
Re:Obvious, simple anti-phishing solution? (Score:2)
But I was under the impression that most phishers were just using spam-style tactics to carpet bomb as many people with emails as possible. For them to subvert this mechanism via a MITM attack, they'd have to a) own a server that your data relayed through, b) parse the mail headers to determine if it's actually something they have a phish set up for, and c) maintain a database of e
Re:Obvious, simple anti-phishing solution? (Score:2)
of a bank. Not only do you then have the ability to target only actual customers when phishing
(yeah, um I totally forgot about my account with the Bank of Bangkok), but you get their
safewords too.
If you wanted to do something like the original idea, but slightly more convoluted, is to give
customers an OTP with strings to tick off as they receive "official notices" from the bank.
Granted, you could not (safely) autom
Custom email addresses (Score:3, Insightful)
Then every email they send to you, they include that string in the subject line.
You can actualy go one better today, without telling your bank what you are doing.
Give your bank a unique email address. Never use that email address for anything else.
The odds of getting a phish on that
Re:Custom email addresses (Score:2)
I tried to use that for filtering, and it worked -- for about a day. After that, mail to username+handle wasn't delivered to me anymore.
I'd use something like that for filtering but I can't
Re:Obvious, simple anti-phishing solution? (Score:3, Interesting)
Suddenly, they stopped doing this around March 2005. I haven't a clue why.
She? (Score:2, Funny)
A simple solution (Score:4, Insightful)
Re:A simple solution (Score:2)
Some obvious items overlooked in the study. (Score:3, Insightful)
FTA: Participants proved vulnerable across the board to phishing attacks. In our study, neither education, age, sex, previous experience, nor hours of computer use showed a statistically significant correlation with vulnerability to phishing.
No check for "familiarity with elementary principles of cryptography" giving a correlation. I suspect that anyone who recognize the significance of the names "Alice, Bob, and Eve" will probably be far less vulnerable than average.
I'll also note that while they claim: "There is no significant correlation between the score and the primary or secondary type of browser or operating systems used by participants", their breakdown of participants indicated no Linux users were studied. Of course, Linux users are a weirdo minority, but I would be curious.
Why phishing works (Score:2)
"Ohhh! A monkey is asking for my credit card number. That sounds reasonable and fair!"
There are those 'surveys' (many posted around slashdot) that want you to pick the phishing attempts.
Look at any major company- financial institutions, etc- they never send you e-mail. they never ask for your e-mail. You never get credit card info via e-mail.
This is where paypal went wrong- they depend on e-mail, and for anything that deals with money, there should never be an e-m
Re:Not so sure about the visit count being useful. (Score:2)
Even if the sit
Re:Not so sure about the visit count being useful. (Score:2)
If you program the browser to do something noxious if you go straight to a site and submit a form on your very first visit, you might get some value out of it. However, that might false positive too often to be useful; only trying it could tell.
Re:Not so sure about the visit count being useful. (Score:2)
I'm not even so sure about that. Customizable skins ar
Re:Not so sure about the visit count being useful. (Score:2)
And exactly that is the usefulness. Your average phishing site tries to impersonate a site you visit frequently, like ebay, paypal or your online banking. When the counter for such a site is suddenly much lower than you remember, something fishy is going on. If it's 0 or a low one-d
Re:Not so sure about the visit count being useful. (Score:2)
The last time you logged onto this web site was 3 days ago at 4:25 pm. You logged in from IP address 128.12.21.125, held by Verizon New York (This may be your ISP). Your currently logged in from IP address 43.12.65.23, held by AT&T Puerto Rico.
Re:Attack back with garbage userids and passwords (Score:4, Funny)
I like it. Maybe another little button like "mark as spam", but in this case it's "mark as phish". When you click "mark as phish" your e-mail plugin does the following:
1) Grabs the source for that page that is linked in the Phishing e-mail
2) Skims the HTML for input fields, generating junk data based on some simple algorithm
3) Submits/Posts the junk data to the address given in the HTML form.
Maybe while we're at it someone can create an "Eliza" like program that would be triggered with a "mark as 419 scam" that would maintain a threaded e-mail discussion with the scammer for weeks. This would keep them busy and prevent them from preying on all the low hanging fruit on the internet. Eat your heart out Turing!