Sunday, April 09, 2006

Why phishing works. Even IT Pros get fooled.

I got "phished" a few weeks ago and bit the hook. Too early on a saturday, I woke up, checked my email, and clicked on a link. Happened to me and I can vouch for the feeling. I am an IT guy and I should know better. But bottom line is, it happens, just like automobile accidents, when you least expect it and aren't paying attention.

Now some researchers , Rachna Dhamija at Harvard and J.D. Tygar and Marti Hearst at UC Berkeley have published a document explaining why phishing works. Duuh!

The ten-page document (PDF) details a study that looks at today's standard security used with ecommerce websites. The authors conclude that existing browser measures are ineffective and suggest the need for alternative approaches.

The report also offers some alarming statistics about phishing. Phishing sites were able to fool 90% of participants and that the test group made mistakes on an average of 40% of the time.

The paper should be taken as a wake-up call for browser makers and financial institutions. Two of the document's authors are the same ones who proposed the security skins Firefox extension in a previous paper (PDF).

This paper dicusses security plug-ins for browsers that would make it more difficult for users to be fooled by phony web site. One good tool is the eBay toolbar, regretably only available for Internet Explorer, which I never use. Firefox is the only browser I will use.

One of the browser plugins for Firefox is SpoofStick. It allows users to instantly spot a bogus URL, and works with any web site, not just eBay and Paypal like the eBay toolbar. Another is the TrustWatch Search Extension for Firefox.

More Firefox security extensions can be found at the Mozilla web site.

Stay safe out there.


Post a Comment

<< Home