Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dealing with Phishing

CmdrTaco posted about 8 years ago | from the god-i-wish-someone-would dept.

168

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

cancel ×

168 comments

frist post (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15621651)

frist post

Re:frist post (-1, Troll)

Anonymous Coward | about 8 years ago | (#15622160)

prist fost

PDF, Not Plugin Link (4, Informative)

christopherfinke (608750) | about 8 years ago | (#15621690)

Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).

Re:PDF, Not Plugin Link (5, Informative)

aymanh (892834) | about 8 years ago | (#15621901)

This is why I use the TargetAlert [mozilla.org] Firefox extension, it adds icons next to links indicating the files or effects they lead to.

Re:PDF, Not Plugin Link (5, Informative)

aymanh (892834) | about 8 years ago | (#15622028)

By the way, I've just noticed that the version available at Mozilla Add-Ons isn't compatible with Firefox 1.5, however, the one available at the author's homepage [bolinfest.com] is, sorry for that.

Re:PDF, Not Plugin Link (1)

drinkypoo (153816) | about 8 years ago | (#15622108)

I just installed on 1.5.0.4/win and it doesn't work. At all. I sent the author an email already.

Re:PDF, Not Plugin Link (1)

Tony Hoyle (11698) | about 8 years ago | (#15622249)

Yeah.. completely nonfunctional on 1.5.0.4 here.

Re:PDF, Not Plugin Link (2, Interesting)

johnkoer (163434) | about 8 years ago | (#15622266)

Did you configure it?

I didn't see it the first time I reset firefox. I played with some of the settings, restarted Firefox again and it was working.

But after getting it working, it is a pretty neat addin.

Re:PDF, Not Plugin Link (1)

drinkypoo (153816) | about 8 years ago | (#15622327)

Well, I haven't restarted firefox twice yet. Maybe I'll try that :P

Actually, if that's the fix, now that I think of it, it wouldn't be the first time. Greasemonkey didn't work until after two restarts.

Re:PDF, Not Plugin Link (1)

utopianfiat (774016) | about 8 years ago | (#15622436)

works on 1.5.0.2/Vista!

"look before you leap"?? (0)

Anonymous Coward | about 8 years ago | (#15621993)

on the other hand, looking at the status bar while hovering over the link will show what's at the link. well, it works in mozilla and firefox; i wouldn't know about that "intarweb expoiter" thing ..

There is no plugin (2, Informative)

lorcha (464930) | about 8 years ago | (#15622082)

It has not yet been released. From TFA:
When do you plan to release the securityskins plugin?


Rachna Dhamija: Currently, we have a prototype of the interface developed in Mozilla XUL, which we are improving based on feedback from our studies. Mozilla turned out to be a good prototyping tool, and allows us to rapidly iterate through interface ideas. A number of organizations have expressed interest in adopting security skins, and we have started development of an extension that can be released to the public. So stay tuned!

Unpredictable (4, Insightful)

neonprimetime (528653) | about 8 years ago | (#15621717)

The only thing an attacker can't simulate is an interface he can't predict.

This will be the key when designing sites in the future.

Re:Unpredictable (4, Funny)

Penguinisto (415985) | about 8 years ago | (#15621786)

...coming soon! a ubersecure site that uses Arcnet for its internal network and a small IPX/SPX DMZ! Then every odd week, we switch it all to AppleTalk internally and Banyan VINES in the DMZ - they'll never see it coming!

(Of course, no one will ever be able to get anything done, but the geek factor would be impressive if you could actually make a 'musical protocols' plan work...)

/P

Re:Unpredictable (2, Funny)

cp.tar (871488) | about 8 years ago | (#15622102)

Why does this remind me of FaceXpaces?

Re:Unpredictable (1)

MrSquirrel (976630) | about 8 years ago | (#15621879)

So... should we look to sceneagers' (scenester teenagers) myspace pages for some examples? The future of web design!!!... it hurts my eyes :(

Re:Unpredictable (4, Funny)

OurCompliments (888002) | about 8 years ago | (#15621952)

sceneagers

Can I pay you to never say that word again?

Re:Unpredictable (1)

cp.tar (871488) | about 8 years ago | (#15622019)

You mean sceneagers?

Of course you can pay me never ever to mention sceneagers again.

Lemme see...

1. Put sceneagers in your sig.
2. Demand money to remove them.
3. ??? (Obligatory)
4. Profit!!11threepluseight

Better than the bunny.

Re:Unpredictable (2, Interesting)

curecollector (957211) | about 8 years ago | (#15621947)

Some sites have started to adopt a similar approach, albeit not to such an extent. Bank of America, for example, asks for your login on their front page, which then forwards you to a separate page, displaying a user-selected icon (chosen from maybe 20 choices, if memory serves), and then asking for your password. Still, it's not perfect as your account number/login is typically your ATM/debit card number...

Too easy to defeat. (1, Insightful)

khasim (1285) | about 8 years ago | (#15622012)

To defeat this, the attacker just needs to correctly copy the bank's page (or whatever). Images, style sheets, etc.

No matter what the user does to his/her browser, the bank's page will be displayed with the same mod's as the phishing page. If you over-mod your browser, then the bank's page will look weird anyway and this can make phishing even easier.

She had a good idea in showing how many times you had already visited that page ... which works until there is a way to fake that display.

The only way to really defeat phishing is to only use the web interface to start a transaction or to view information ... and require that the bank call the customer at the customer's phone number and verify that the transaction is authorized.

Re:Too easy to defeat. (2, Insightful)

Anonymous Coward | about 8 years ago | (#15622140)

I think you miss the point. The idea isn't to mod the bank site, but for the individual to mod his/her own interface to the bank site. Bank of America is doing this -- you select a personal image. When you login to their site, the login page displays the image your selected. If you don't see the correct image, you know its a phishing attempt. This is still a user education issue, but at least it helps.

Re:Too easy to defeat. (1)

UbuntuDupe (970646) | about 8 years ago | (#15622362)

She had a good idea in showing how many times you had already visited that page ... which works until there is a way to fake that display.

You know, that reminds me of something I, I mean someone I know, did on the MMORPG Second Life. Basically, he wanted to spoof other players' statements, i.e., make it look like someone else was saying something of his choice. The text would appear on the screen in the format:

[character name]:[what they're saying]

All of that appears in white text.

In Second Life, you can also make objects, and have them talk. It will have the same format, except the object name instead of character name will appear. And, of course, as a "security" feature, they made all non-player-character objects' text appear green, so you could tell if it was a fake.

But then my friend got wise. He made an object named after someone else. Then he had the object say, "Hey guys, this is neat, you can make your text appear green." and then "I totally did't know you could have text appear green like this!" Then he started making the "compromising" statements, and people geniunely believed the character he was spoofing said it.

Long story short, having a "standard" format like you described isn't going to do much against phishing. Like you said, people can always "step outside the system" and make their fake site have things resembling your security features, and the people who tend to be fooled by phishing won't know it's something the phisher added.

Re:Too easy to defeat. (1)

general scruff (938598) | about 8 years ago | (#15622469)

I can see a super easy way to defeat the 'You've been here before' feature. Just set the phishing page to reload 5-10 times before it completely loads. Now, the address has been "Visited" quite a bit, and you're none the wiser.

Re:Too easy to defeat. (3, Insightful)

Daverd (641119) | about 8 years ago | (#15622483)

Say the website in question allows you to pick from several different stylesheets, and this selection gets stored as a cookie on the user's machine. Whenever the user goes back to that page, it shows up in the style they've chosen. Then there's no way for the phisher to simulate that, because cookies can't be shared between domains. The user would go to the phishing site and hopefully realize something's wrong when everything looks different.

Re:Too easy to defeat. (1)

t0tAl_mElTd0wN (905880) | about 8 years ago | (#15622525)

I think what they meant is that a user can customize their style of the actual site. For instance: if I, Mr. Joe Sixpack Compn00b, followed a link from an email to "PayPal", which was actually some phisher's site, I might notice that this style is blue and white rather than my personalized Purple and Cyan (Joe Sixpack Compn00b has no artistic style)

Re:Unpredictable (1)

wordsofwisedumb (957054) | about 8 years ago | (#15622466)

The only thing an attacker can't simulate is an interface he can't predict. This will be the key when designing sites in the future.

That explains this:

Readers should note that the "Dynamic Security Skins" link goes to a PDF, not a plugin (as I expected).

Where to draw the line on user ignorance? (2, Funny)

PrescriptionWarning (932687) | about 8 years ago | (#15621722)

I can agree that while something like this could help those who are not knowledgable about such things in the digital world, I wonder if perhaps we should be taking steps back to make sure people actually stay informed of such dangers.

For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors", since logically only "female connectors" should work anyway. Now its no real sweat off my back, but it made me think where is the line between common sense and ignorance?

Re:Where to draw the line on user ignorance? (3, Insightful)

PrescriptionWarning (932687) | about 8 years ago | (#15621751)

To go a slight step further minutes after posting this, does it seem like more and more programs are doing things for us, perhaps without our knowledge? I take for example Xbox 360 games updater: it tells you there's an update, you update it while looking at a little progress bar, and then its done and you play the game again. I for one really want to know what updates there were, at least the significant ones. It would be nice to know if a certain bug that plagued me before was fixed, or if content was added/changed so I can proceed to take advantage of it.

Are people so content with blind usability of their devices?

Re:Where to draw the line on user ignorance? (4, Insightful)

Red Flayer (890720) | about 8 years ago | (#15621917)

Are people so content with blind usability of their devices?
Why yes, yes they are.

To most users out there, their devices are just blackbox tools. As long as the output is what's expected, they could care less what the updates are doing, or what their device is doing. Note that this is very much what software/hardware companies aim for -- "it just works."

That's how you separate the geeks from the boys (not with a crowbar, as has been joked) -- who wants to know what's going on there (and is willing to spend the time to find out), and who is content just playing their game.

Re:Where to draw the line on user ignorance? (4, Funny)

spun (1352) | about 8 years ago | (#15622027)

That's how you separate the geeks from the boys (not with a crowbar, as has been joked)

Greeks. You're thinking Greeks and boys.

Ancient Greeks that is, you know Sparta and catamites and all that. Your average modern Greek is a fairly religious fellow who frowns on that sort of thing (at least in public, unless there are no women left in the bar at closing time.)

The More You Know(tm)

Re:Where to draw the line on user ignorance? (1)

Red Flayer (890720) | about 8 years ago | (#15622098)

Whoooooosh. :)

Re:Where to draw the line on user ignorance? (1)

WilliamSChips (793741) | about 8 years ago | (#15622348)

You can do it with a crowbar as well. The geeks are the ones thinking of Gordon Freeman.

Re:Where to draw the line on user ignorance? (1)

Bob3141592 (225638) | about 8 years ago | (#15622023)

I for one really want to know what updates there were,

For every one who really wants to know, there are a hundred who don't care/wouldn't understand anyway.

Re:Where to draw the line on user ignorance? (1)

Tackhead (54550) | about 8 years ago | (#15621866)

> For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors", since logically only "female connectors" should work anyway. Now its no real sweat off my back, but it made me think where is the line between common sense and ignorance?

The line between common sense lies somewhere between here and LA County [wikipedia.org] .

I'm just saying that with diversity industry going ballistic over the use of terms like "master" and "slave" in the context of IDE channels, you're pushing it when you use terms like "male" and "female" connectors... and you're really putting your contract on the line (anywhere other than Texas or Utah) when you not only use the terms "male" and "female", but actively attempt to design systems in which male connectors "don't get matched up with other male connectors".

In terms of user ignorance, there's truly no point in trying to educate anymore.

Re:Where to draw the line on user ignorance? (4, Funny)

dr_dank (472072) | about 8 years ago | (#15622399)

For example, I'm creating the front-end for an application and one of the requests was that we build in such things as making sure "male connectors" on parts don't get matched up with other "male connectors"

Not that theres anything wrong with that...

Security Skin (2, Interesting)

christopherfinke (608750) | about 8 years ago | (#15621726)

Looking through the PDF linked, I see that the plugin uses some visual hashes as browser backgrounds in trusted situations, but I wonder if there is an anti-phishing extension that would alter the color of the main background of the browser chrome for possible phishing sites. For example, a light-green would be trusted, but variations through a fire-engine red would indicate a possible phishing attempt.

Re:Security Skin (4, Informative)

DrSkwid (118965) | about 8 years ago | (#15621760)

Certain colors have common associations in society, such as red with warning or green with go. Use these color associations to illustrate your point, but proceed with caution, because these associations can differ depending on the nationality of the audience.

http://office.microsoft.com/en-us/assistance/HA010 120721033.aspx [microsoft.com]

Re:Security Skin (0, Funny)

Anonymous Coward | about 8 years ago | (#15621855)

From your f****** MSFT link above...

Was this information helpful? Yes, No, I don't know

I clicked on "I don't know" ...
and it asked me ... "What are you trying to do?" ...
and I entered "I don't know" ...
and it responded ... "We appreciate your feedback."

Thank you Microsoft.

it doesnt help when (5, Interesting)

future assassin (639396) | about 8 years ago | (#15621757)

legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

Capital One(R)--what's in your wallet?(R)

Your Capital One statement is ready.

RE: Your account ending in 0000

Your current Capital One statement is now available for viewing online. Simply log in to Online Account Services and click the My Statement tab.

Log in now at http://capitalone.bfi0.com/ [bfi0.com]

Is all your information reaching you?

To help ensure this time-sensitive message reaches your inbox each month, add the Capital One address that appears in the "From" line above to your electronic address book. This is especially important if you or your service provider use e-mail filters.

Use our web site as a resource for information and to access a variety of consumer lending products and special services. Add http://capitalone.bfi0.com/ [bfi0.com] to your bookmarks, so you can come back easily and often.

Thanks for using Capital One's Online Account Services.

Important Information from Capital One

This e-mail was sent to me@mydomains.com and contains information directly related to your account with us, other services to which you have subscribed, and/or any application you may have submitted.

The site may be unavailable during normal weekly maintenance or due to unforeseen circumstances.

Capital One and its service providers are committed to providing meaningful privacy protection for their customers. To protect your privacy, please do not send sensitive account information through e-mail. For information on our privacy policy or how to contact us, please visit our web site at http://capitalone.bfi0.com/ [bfi0.com]

If you are not a Capital One customer and believe you received this message in error, please notify us by responding to this e-mail.

Re:it doesnt help when (5, Interesting)

Tackhead (54550) | about 8 years ago | (#15621974)

> legit companies send out emails like this and confuse customers. This is from Capital One I got yesterday. Didn't open it at first cause of the url and domain. > bfi0.com Turns out it legit and Capital one uses Bigfoot as their mail server.

And this, kids, is why you should never outsource your email.

In some small way, I may have helped. Back in the dark ages, my broker did this -- outsourced some of their customer communications to the m0.net (Digital Impact) mainsleaze spamhaus. I wrote 'em a very sharply worded letter to the effect that if they couldn't run something as simple as a mail server, why should I have any faith that they were any more capable of running the web servers that handled my trading requests.

(And what is it with the meta-rule, which seems to be that any domain ending in 0.com or 0.net, is a mainsleaze spammer. m0.net, bfi0.com, and I'm sure there are more out there...)

The letter also included some of the other spew (honest-to-God spam, as opposed to ostensibly solicited customer communications from an organization with which I had an ongoing business relationship) I'd gotten through m0.net, and explained that as a result, I'd pre-emptively marked all mail originating from that domain as "spam", and that my broker was lucky that I periodically checked my filtered spam to see if any false positives had leaked through.

I wasn't the only customer to flame them, because a year or so later, I noticed that my broker was able to email me again, and that they were doing so from a mail server in a netblock owned by them, and with proper DNS registration.

Now that Capital One is in the process of digesting North Fork Bancorp, perhaps both COF and NFB executives could do with a little similar education. My broker got a polite snail-mail flame because it was 1999 and they had an excuse for not knowing any better. There's no excuse in 2006.

Re:it doesnt help when (1, Funny)

Anonymous Coward | about 8 years ago | (#15622003)

Well, I guess we know what's in your wallet.

Re:it doesnt help when (0)

Anonymous Coward | about 8 years ago | (#15622011)

I've seen this kind of stupidity from several sites, including Capital One. I complained to them about it (as well as several unrelated, but equally stupid interface issues). I might as well have been talking to a brick wall. They don't get it.

I responded by taking my business elsewhere. So long, Capital One.

Re:it doesnt help when (2, Informative)

MindStalker (22827) | about 8 years ago | (#15622032)

I don't know about you but all my capitalone emails link to email.capitalone.com your getting screwed :)

Re:it doesnt help when (1)

xenocide2 (231786) | about 8 years ago | (#15622057)

And it's so legit it now gives a blank page to firefox.

Re:it doesnt help when (1)

tedhiltonhead (654502) | about 8 years ago | (#15622126)

Capital One, and everyone else, should either links to the company's known homepage, or to an https:/// [https] address. This way, the end-user can easily verify the link's legitimacy. There is no reason for Capital One to send their e-mails' links through the bfi0.com domain.

The marketing dept. gets e-mail designs from spam (3, Funny)

vinn01 (178295) | about 8 years ago | (#15622174)


I swear that some marketing departments get their e-mail designs from looking at spam. I've have seen some legit corporate e-mails that look so close to previous phishing spam that you would think that they did it on purpose.

The only explanation that I can think of is that they see the phishing spam e-mail, think that it's from their own company, and then design new e-mails to look the same.

Doubt it? We're talking about the marketing department....

Capital One = Big Bad Evil of the financial world (3, Informative)

MattHawk (215818) | about 8 years ago | (#15622233)

Admittedly off-topic, but you might want to look into ditching any CapitalOne credit cards you have. They've been using a somewhat questionable reporting practice recently of only telling how much you have on your card to the reporting agencies, rather then the amount you have and your maximum. The credit agencies, with only the one number, assumes it to be both your current limit and the amount you're using - in other words, that you're using 100% of your credit. This can really screw your credit score.

(If you're curious as to the source of this info, check out Clark Howard's website - if you haven't heard of him, he has a talk radio show and a few books about personal finances)

Just an FYI :)

Drive-by-downloads (3, Interesting)

Itninja (937614) | about 8 years ago | (#15621768)

So this may help one realized that they are not on the actual Paypal/Citibank/Ebay site, and they can leave before they enter their personal information. But many phishing sites have already done their damage by that time, via a drive-by-download; install all forms of malware and spyware in just a few seconds.

Mozilla, take note: (4, Insightful)

The MAZZTer (911996) | about 8 years ago | (#15621791)

for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.

Hey, this is a really really good idea. Microsoft, Opera Team, and Mozilla should take note!

The more you think you know... (4, Interesting)

Lord of Hyphens (975895) | about 8 years ago | (#15621793)

Good interview, bringing up sound points on the vulnerability of users to electronic attacks. Social Engineering (aka BSing the operator) has been around forever as a valuable tool in any attacker's arsenal.

The problem with a security-minded addon is, most appropriately, whether or not a user will bother to employ it. I can see multiple websites deploying the server side of DSS, but I can see all but a small niche of users not installing the client side, instead relying on their own (generally wrong) assumption that they don't need it. And how long until Microsoft implements its own (propietary, closed-source) 'solution'? How long until it's on and enabled by default on the majority browser? Even then, are we (the idiot users) going to pay attention to the glaring signposts or allow ourselves to be fooled?

Only time will tell, I think... and yet I still believe that Social Engineering (and Reverse Social Engineering) are going to be with us on the electronic environment forever.

GMail's filters failing? (5, Interesting)

DAldredge (2353) | about 8 years ago | (#15621798)

Over the past 3 or so weeks I have noticed that the number of phishing emails coming to my slashdot email account that are not caught by the spam filter have increased about 300%.

Is google getting worse or are they getting better?

Re:GMail's filters failing? (1)

winnabago (949419) | about 8 years ago | (#15621943)

I thought GMail used a social network based filter (flagging) in addition to traditional methods, where spam/phish that was marked by enough users was weeded out for the rest of us. Perhaps you are among the first on certain mass mailing lists and aren't benefitting?

Re:GMail's filters failing? (1, Funny)

Anonymous Coward | about 8 years ago | (#15622009)

Me too, and not just English spam... I get it in Spanish, Japanese, and Chinese. Sometimes, they come with nice pictures. One of the Chinese ones was for a $400, 6" long dildo...

At least thats what I think it was. It looked like a dildo, and it said 6" and $400.

I also get lots of 419s, but never any from Nigeria.

Re:GMail's filters failing? (2, Informative)

Penguin Programmer (241752) | about 8 years ago | (#15622207)

Google's filter (like any good spam filter) is adaptive. Spammers/phishers figure out a way to get their stuff through, a bunch of people mark it as spam/phishing and the filter learns that those messages are spam/phishing. You'll probably see the exact same messages hitting your spam box in a couple weeks.

Not really going to work (5, Insightful)

Jimmy King (828214) | about 8 years ago | (#15621800)

While this may sound like a good idea at first, why would it work? The majority of people who would know about such a feature, especially if it's a third party downloadable plugin, and then make use of it, are not generally going to be the type of people to be fooled by phishing attempts and unable to recognize the basic things tested for in this study. On top of that, given most people's understanding of computers and the internet and web, I feel pretty safe saying that if your average person was using such a tool and then loaded a phishing site, their thought would not be "oh, this must be a phishing site" it would be "oh, my skin didn't load for some reason." and then probably continue on.

The problem is not a lack of tools out there. The problem is a lack of understanding. We've got millions of people who don't understand the basics of computers on a public, anonymous, worldwide network who are essentially network/server administrators, as far their home pc is concerned. To make it worse, most people not only don't understand, but don't want to understand.

Re:Not really going to work (1)

iso (87585) | about 8 years ago | (#15621830)

A knoweledgable person could install this on friend/relative's computer you realize.

Re:Not really going to work (1)

Jimmy King (828214) | about 8 years ago | (#15621923)

And then do you think that friend/family member is going to make use of it after it's installed? Do you think that if they even notice the website did not load with their skin, it will stop them from continuing? You have a good bit more faith in the general population than I do if you think they will. These are the same people that open random attachments after having been told not to thousands of times, don't look at the url in websites after being told to or possibly don't even know to, and run XP with an administrator account. I don't see any reason to think that one more tool available to them, which they probably don't understand how it works to start with, is going to make a difference.

Awareness is more important (1, Insightful)

Anonymous Coward | about 8 years ago | (#15621803)

It seems obvious from this article that teaching people about computer scams and making them aware of tricks such as phishing is the only way to foil these types of attacks. The phishing sites in the study didn't even use technological foolery, yet they still managed to fool most of the users. This shows that no amount of advanced anti-phishing technology in the browser will help more than simple education and very obvious cues that a site could be faked. Popups and dialog boxes don't work because in modern computing they have become somewhat of a false alarm - a dialog box warns you of something and you close it immediately because it is irrelevant. The only way to really utilize the browser's anti-phishing technology is to have a very visible notice that a site could be faked, such as putting a big notice right in front of the page, etc. Fundamentally, phishing is a form of social engineering combined with technological tricks, and the social aspect of the problem must be approached to help solve the problem.

Bad analogy (3, Interesting)

KerberosKing (801657) | about 8 years ago | (#15621835)

The thought that an average user will personalize their web interface like they personalize their celll phone doesn't fly with me. If that were true, we would see copies of Tweak UI on a lot more wintel boxes. Everyday people would be replacing the explorer shell with LightStep. I don't see that happening. About the most personalization I have seen is people putting up a picture of their girlfriend or baby up as desktop wallpaper. Geeks use custom tools, but most geeks are savvy enough about phishing to not fall for it.

Re:Bad analogy (1)

maxwell demon (590494) | about 8 years ago | (#15622047)

Moreover personalized web pages can only start after you logged in (because only then the server will know whose personalized look it shall display). But at that time, you already have typed your password or PIN.

Half-azzed study (2, Informative)

Jonboy X (319895) | about 8 years ago | (#15621848)

From TFA:
We conducted a usability study where we showed 22 participants 20 web sites and asked them to determine which ones were fraudulent, and why...Our participant population was highly educated, consisting of staff and students at a university. The minimum level of education was a bachelor's degree. Our population was also more knowledgeable than average, because they were told that spoofed websites were in the test set. They were also more motivated than the average user would be, because their task in the study was to identify websites as legitimate or not.


So the "study" is a little lame, and irrelevant to the main point of the article: promoting his new SecuritySkins plugin. The idea is that it's harder for websites to spoof browser features if everyone's browser looks different.

For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.

Re:Half-azzed study (2, Informative)

Zardus (464755) | about 8 years ago | (#15622062)

See, the BoA approach always confused me. By the time you see that picture you've already entered your login ID, and your login ID is all it takes to see that picture. Now, if the phishing site already knows that ID (since there is no picture or anything to prevent you from entering it at this point), why can't the phishing site just hit up BoA for that picture and present it to you?

In some cases BoA asks you a security question, but that's the same problem with that. Phishing site hits up BoA for the questions, gets the answer from you, and sends it back to BoA to retrive the image.

Re:Half-azzed study (2, Insightful)

maxwell demon (590494) | about 8 years ago | (#15622184)

Hmmmm ... thinking along those lines, the phishing site could just be a proxy forwarding everything to the legitimate site and back, but just storing the interesting data like passwords.

All security features are targets for attack (1)

Bob3141592 (225638) | about 8 years ago | (#15622145)

For the record, this idea isn't new. Bank of America has been letting users select a personalized image on their login page for a while now. If the image on the login page doesn't match yours, it didn't come from your bank and you shouldn't enter your password there.

Do they let you upload your own picture, or do you select from a list of what they provide? If the latter, then the phishers know what the stock photos are. Say there are twenty of them. The phisher picks one. He may have eliminated 95% of the people he sends his bogus pages to, but he's just gained a ton of credibility with the remaining 5%. That might be worthwhile for him.

Personalization will only help so much (4, Insightful)

scolby (838499) | about 8 years ago | (#15621878)

Phishers will still be able to fool those who are susceptible to email phishing attacks. In the example where a user chooses his or her personal image as a security feature, all a phisher has to do is send out spam requesting that the user either change his image or upload a new one, with a link to the site that will snag that information. Then it's a simple matter of sending out another email prompting the user to log in, with a link to a page displaying that stolen image.

In the end, it's more important to educate users than it is to circumvent their stupidity with technology - there's always a way around things.

Re:Personalization will only help so much (2, Insightful)

Anonymous Coward | about 8 years ago | (#15622046)

It's true there is always a way around things, and though the example with the image selection that Bank of America uses (and similar implementations at a handful of other financial institutions) is not completely foolproof, it significantly more secure than a financial institution that does not use such a system. BofA and the other banks know this - Phishers are more likely to target the customers of a bank that hasn't re-educated its userbase on their new login will work, and why.

When someone goes fishing, they don't target a specific fish in the pond. They throw the same cheap bait everywhere, and whatever bites get caught. In order for the image technique that BofA uses to be foiled (and believe me - I'm not BofA fan - sorry to keep using that as THE example, because it's not), it seems a phisher would have to spend more energy/resources/whathaveyou coming up with ways to target specific people. Instead of comparing it to fishing, it would be more like hunting/stalking - which takes lots more effort. It seems it would significantly cut down on the quantity of victims - assuming quantity is what phishers are going for.

My 2 cents.

What bothers me is... (4, Insightful)

azav (469988) | about 8 years ago | (#15621902)

Why we are not aggressively tracking down and prosecuting mass repeat spammers and phishers.

If we are, why are we not hearing about it?

I mean, spam and phishing is the blight of the internet. It is aggravating, costly and time consuming. I do not need a mortgage, cialis, a fake rolex, a "pleasure ring" or bogus stock tips. All this spam and phishing is fraud and through use of zombies of hijacked connections, theft or trespassing.

Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?

??

Re:What bothers me is... (1)

Lord of Hyphens (975895) | about 8 years ago | (#15622033)

Should we write our congressmen? Become rich and hire the mob to find these people and break some knees?

The latter has a chance of working (besides, it'd make me feel better). The latter wouldn't do a thing and stands a high chance of introducing its own problems.
So, who wants to fire up a nonprofit dedicated to ending spam/phishing by means of Cousin Vinnie?

Re:What bothers me is... (1)

Chabil Ha' (875116) | about 8 years ago | (#15622212)

Breaking some knees might be more effective. Why? The Internet is the equivalant of the Wild West. Anything goes. Laws are a very sticky thing where virtual territory is concerned. Since the Internet is a vast largely unregualted affair, getting laws in action don't do much since there isn't a white suited sherriff with an ivory handled Colt walking around keeping the bad guys in line.

But then again, we all know what happened when someone tried to take the law in their own hands. Look at Blue Security. They were supposedly sticking up for the common man, but now they've run outta town with their tail between their legs [slashdot.org]

.

Re:What bothers me is... (1)

CamDawg (970808) | about 8 years ago | (#15622268)

There was a recent post on the IE7 development blog about the prosecution of a phisher [msdn.com] --21 months of jail time and $57,000 returned to the folks he defrauded. It's a start at least. The IE7 dev blog has actually been doing its best to tout their anti-phishing features in IE7, though there have been a number of (IMO legitimate) concerns about how it's being implemented.

Re:What bothers me is... (1)

rbochan (827946) | about 8 years ago | (#15622372)

tell the RIAA that they're sending out mp3s...
or tell the FCC that they're sending out pictures of boobies...
that'll get something done about it.

Re:What bothers me is... (0)

Anonymous Coward | about 8 years ago | (#15622451)

Becomre rich, huh?? Well I know a really easy way of making some money...

Would skinning really help? (1)

b1t r0t (216468) | about 8 years ago | (#15621922)

If the idea is to skin a user's page on a given web site where they might be phished (like a banking web site), then it won't really help, because the proper skin can't be applied until after a user has logged in, and by then it's already too late! I suppose it might be possible to store that in a cookie, but that would assume that the user never connects from a "fresh" computer that hasn't been used with the site before. And then there are the redirection attacks which make use of a bug in the web site itself to make the phishing site look more legit.

Oh, duh (1)

b1t r0t (216468) | about 8 years ago | (#15621983)

I just RTFblurb... the point was to have the browser do skinning based on the web site being visited. Which still doesn't help when the user is not using his/her normal computer, and still takes effort to set up the skinning.

Off Topic public complaint (-1, Offtopic)

C_Kode (102755) | about 8 years ago | (#15621926)

Someone kill Slashdot for using that expanding Intel ad on the front page. I do not block the ads because I enjoy Slashdot and want to help support them by viewing the ads, but that expanding ad they are now using will force me to block all Slashdot ads.

I publicly request that shit STOP.

Re:Off Topic public complaint (1)

Itninja (937614) | about 8 years ago | (#15621987)

It would seem your "someone kill Slashdot" and "I love Slashdot" statements are a bit at odds. But seriously, I have been blocking /. ads since forever. But I buy a lot of stuff from Thinkgeek, so that kind of makes up for it, eh?

Haha, "why phishing works" (3, Insightful)

drinkypoo (153816) | about 8 years ago | (#15621928)

That's got to be one fucking short paper. I can personally sum it up in three words: "People Are Stupid." Can I get my research grant now?

Re:Haha, "why phishing works" (1, Funny)

Anonymous Coward | about 8 years ago | (#15622130)

To formalize it:
  1. Postulate that a statistically significant number of individuals are technologically challenged when it comes to operating a computing device on a global shared network.
  2. Acquire the grant money to perform the study to determine whether your hypothesis is correct or not.
  3. Profit!
  4. Publish your conclusion that "people are stupid".
  5. Go on the lecture circuit with your findings
  6. More profit!!

Not so sure about the visit count being useful. (1, Insightful)

Jerf (17166) | about 8 years ago | (#15621960)

You have read this comment 42 times, therefore it is trustworthy. Please reply with your social security number and mother's maiden name.

I'm not sure that visit counts are very useful, as there is only a narrow window between the very beginning, where it is useless because it is basically 0, and where it becomes useless because it's just a big, meaningless number. Will you notice if your visit count goes from 123 straight to 125? Will you even notice if it goes from 124 to 543?

Of course you want to say yes, because it looks like I'm asking "Can you tell the difference between 543 and 124?" and of course the answer is yes. But the real question I'm asking is, "Can you tell if a number secreted away in the corner of a busy webpage that you probably don't even know exists and have probably forgotten about if you did changes from 124 to 543?" I think that if you're honest with yourself, the answer is no.

It's a good brainstorming idea, but I don't think that's going to help much.

On the other hand, customizable interfaces would probably help a lot, but that's a lot of work, and you're going to have to half-force people to do customizations if you want it to work, because most people would just stick with the default. Perhaps randomize (within reason) some of the customization parameters? Sure, it'll add support load, but so does phishing, so you'd have to do a careful analysis to see if you come out ahead; it could go either way.

Re:Not so sure about the visit count being useful. (1)

Zardus (464755) | about 8 years ago | (#15622100)

That's not what the number thing is supposed to be like, though. The idea is that you go to a login page (such as something claiming to be paypal.com, lets say), and before filling out the login and password you glance at the status bar and see that the number of times you've visited this page is 0. For me, that would be an instant red flag that its a phishing site cause I hit up paypal often (more often than I would like..). If that number is not big, then the site is likely a phishing site.

Even if the site was using an exploit that changed the url in the location bar or something, such a low 'times visited' number would prompt me to try it on a different browser/computer and enter the URL by hand.

Re:Not so sure about the visit count being useful. (1)

Bob3141592 (225638) | about 8 years ago | (#15622251)

On the other hand, customizable interfaces would probably help a lot, but that's a lot of work, and you're going to have to half-force people to do customizations if you want it to work, because most people would just stick with the default. Perhaps randomize (within reason) some of the customization parameters? Sure, it'll add support load, but so does phishing, so you'd have to do a careful analysis to see if you come out ahead; it could go either way.

I'm not even so sure about that. Customizable skins are only useful if the same customization characteristics can be applied to all the sites I use. My online activity includes several banks, a few credit card companies, two phone companies, three utilities, many retail stores, etc, etc. If I can make all these sites look reasonably similar, say by using a similar shade of my favorite blue color, then I would be suspicious of sites in any different color. But without such across the board similarities, I'm going to lose track of who has what skin and who provides or doesn't provide such a skin. In the long run, absent it's universal application, all this would add is more noise into the presentation, and would provide minimal benefit.

#irc.trolltalk.c0m (-1, Flamebait)

Anonymous Coward | about 8 years ago | (#15621978)

DOG THAT IT IS. IT new core is going opinion in other Parts. The current out of 3usiness took precedence Start a holy war And personal

This girl deserves it, seriously! (0)

Anonymous Coward | about 8 years ago | (#15622025)

"Two participants in our study stated that in general, they
would only question a websites legitimacy if more than
the username and password was requested. One participant
actually submitted her username and password to
some websites in order to verify if it was a site at which
she had an account.

!!
She stated that this is a strategy that
she has used reliably in practice to determine site authenticity.
Her reasoning was Whats the harm? Passwords
are not dangerous to give out, like financial information
is."

Very offtopic: What's with this slashdot banner? (0, Offtopic)

88NoSoup4U88 (721233) | about 8 years ago | (#15622034)

I just had an, imo, very 'intrusive' ad here on the frontpage of Slashdot: The reason why I report this is the fact that I am not a subscriber, but also don't use any ad-blockers on Slashdot (nor on other sites), as I think it's a fair deal: I get to read/write for free and they serve me ads which will give them some money in return.

I don't mind the banners, animated or not: But I think this one (have a look at the screengrab [imageshack.us] ) got a bit too intrusive, or at least very annoying: Once you roll-over the normal banner, it changes in that one shown in the screenshot, taking up almost half of your screen.

Going back to the original banner (by hovering off the big-size banner), I noted that, in smallprint, it warned (?) that, on mouse-over, it would pop-up the bigger one: That, imo, does not justify it though (since the banner is on top, there's a big chance of hitting it by mistake with your mouse pointer).

Again, the reason why I made this post is not that I think (as a non-subscriber) I got any right to 'complaint' about something I receive for free: Just that -because- normally the ads are non-intrusive, I don't bother with blocking them.

This sort of thing is kind of amusing.. (1)

DoctorDyna (828525) | about 8 years ago | (#15622035)

As long as there are people that can be fooled, there will be people around to fool them. Technology, at it's best, can only ever be used as a padding, if you will, for the average user. You have to develop technology that hits the magical balance between . Once you hit that mark, then there is no excuse for complaining about technology. At that point, the responsibility for the continued problem lies essentially with the users alone.

PEBKAC!

Re:This sort of thing is kind of amusing.. (1)

DoctorDyna (828525) | about 8 years ago | (#15622050)

"hits the magical balance between ."

Should have read "hits the magical balance between helpfulness and intrusiveness."

Smarter than your average bear (2, Insightful)

Billosaur (927319) | about 8 years ago | (#15622056)

Look, as I've said repeatedly (and I don't need a post doc to know this), users fall for phishing because they are in general not Net savvy. A typical user looks at a browser or a desktop application and treats it like their TV/VCR or pocket calculator -- they expect to turn it on, use it, and aren't aware of anything else that it might be doing or be capable of doing. Doesn't matter if it's Firefox, IE, Opera, or what have you, the average user is not going to understand the workings of a browser. Nor should they have to.

There was an article a few days back (memory gets foggy with age) about IE7 and all the new stuff, to which I replied that it was all well and good, but the fact is, there have been no revolutionary new breakthroughs in browser technology. I'm not talking plug-ins, downloads, schemes, scripting, etc., but looking at the browser as more than simply a viewer of web content. It's long past that -- it's now the doorway to information and allows the user to access all kinds of data about themselves and others that is supposed to be "secure."

Browsers have to be redesigned with the average user in mind and they have to be developed to do much more of the security work for the user than they do now. They have to be turned from data reader into combination access port/firewall/security screen, and they have to run these functions automatically (except when you're a knowledgeable sort and can turn the systems on and off to your liking). A browser should stop a user from being able to access "phishy" sites, reject sites where security certificates are dodgy, and alert the user in the strongest terms that the thing they were about to do was stupid and they're not being allowed.

Phishers will continue to winnow out personal data from people as long as no one marches in and builds the next generation of tools to combat them. Trying to do anything with the current crop of technologies is like putting a band-aid over a severed jugular; to truly put the fire out, it will take a technology the phishers are not prepared for and cannot easily simulate.

Isn't it curious (1)

Bob3141592 (225638) | about 8 years ago | (#15622068)

how much intelligence and technology has to be applied to reduce the effects of people's stupidity. The more stupid/gullible/apathetic/lazy people are, the more sophisticated/integrated/processor-and-storage-int ensive applications have to become. Maybe we're just enabling people's stupidity by doing this. Eventually, as people's intelligence goes to zero, the number of processor cycles to protect them from themselves will become infinite.

Re:Isn't it curious (1)

nyctopterus (717502) | about 8 years ago | (#15622214)

Assuming that people are "stupid/gullible/apathetic/lazy" just because they might be taken in by a phishing scam is, well, stupid/gullible/apathetic/lazy thinking.

Re:Isn't it curious (1)

maxwell demon (590494) | about 8 years ago | (#15622248)

Actually the software has only to become as intelligent as the users should have been. After that, we can disconnect the users from the net and let the software handle their online stuff. :-)

IP-based Secure connections? (2, Interesting)

guruevi (827432) | about 8 years ago | (#15622166)

How about using the same technique SSH uses: If you come on a site that has the same IP but with a different key or the same key with a different IP: BIG WARNING THAT THIS SITE OR THE COMMUNICATIONS IS POSSIBLY COMPROMISED and provide a link to customer support in case that happens. SSL Certificates just check whether your communications is securely established and I won't examine that certificate everytime I connect. When you want to do Internet banking or something similar, your bank should give you a key on a read-only USB disk or something and the possibility to boot a Damn Small Linux from that disk. My bank did that for a while, but I guess they fell back on just providing the key probably because of the support issues with DSL and xDSL, USB Modems, Winmodems and other crap like getting the VPN through the users' firewall and you had a browser but couldn't go anywhere but the bank's sites. But I have another bank account that just requires a username and password and you're not even on the secure part by then. How dumb is that? I avoid using my Internet banking just for that. The people at the branch sometimes ask why I don't do those simple things (like transferring money) through their site. I am running only Mac and Linux but still I don't want anyone connecting because they keylogged my password - some users might have troubles putting a good password in the first place (insert oblig. spaceballs password quote here). My webmail is more secure than their site (RSA SecurID key required for that), so they could at least do SOME effort like giving me something similar to SecurID for their site.

Customization vs need (1)

Rob T Firefly (844560) | about 8 years ago | (#15622173)

Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"
I find it interesting that those examples grew from technological necessity. We used to need screen savers because our ancient monitors would burn in the image otherwise. We needed changeable ringtones because everyone in a crowd would have to check their phone if one was heard ringing. Some of us needed skinnable apps to fit in other features, or adapt the UI to impaired eyesight or something. In those instances, the content producers took advantage of the actual need to fill it with fun stuff like flying toasters, five-second mp3 ringtones, and Winamp plugins based on movies they could sell and/or advertise with. Now this seems to be going the other way around, taking advantage of people's acquired taste for UI skins, and exploiting that to fill the technological need for protecting the easily-phished.

Attack back with garbage userids and passwords (1)

texas neuron (710330) | about 8 years ago | (#15622219)

I do not know how to do the programming but if bogus userids and passwords were entered into the bogus phishing portal, then the cost of doing business for the phishers would get very high. It would be nice for the antivirus software we would buy to allow you to opt in to "punish the phishers." This would give them permission to send your computer the link and code to fill in the phishers web site once identified. Several million useless userid and passwords (created to look legit) should shut them down.

Re:Attack back with garbage userids and passwords (1)

jizziknight (976750) | about 8 years ago | (#15622490)

The problem with this is that if you're trying to make the userids and passwords look legit, then you're running the (albeit very small) risk of entering someone else's real userid and password, thus giving the phisher access to someone else's account, which could possibly (if they could track it down) result in a lawsuit for the antivirus software maker AND you. So though the risk of this actually happening is small, there's enough potential backlash that no antivirus software would actually implement this. Sure, you could do it yourself, but you still run the risk of the lawsuit. Also, what if the software happens to enter YOUR userid and password? It's a good idea, just not realistic.

Personalizing teletubbyland? Since when? (0)

Anonymous Coward | about 8 years ago | (#15622278)

She also suggested to "make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces."

This is an interesting point. That is, yes, people, err, users, like to customize. Some of them. And then usually in the form of garden gnomes and a matching backdrop. Many, however, never even change the backdrop nevermind the look of their desktop menus so that even years on they still use the factory shipped teletubbyland and matching green and blue menubars.

I think that the question who customizes what, and what not, and who doesn't, and then the why of it all, needs more investigation before one can hope to use this to battle phishing.

"Positive" authentication is not very useful (2, Informative)

ttul (193303) | about 8 years ago | (#15622288)

End users cannot distinguish well between legitimate sites and phishing sites. Adding in sugar such as the date of the user's last login is helpful only as a positive reminder that the user is on the right site. It's better than nothing, but not by a factor of 10.

Phishing cannot be prevented completely -- it's a social engineering phenomenon and as such will adapt to any technological intervention that tries to stop it. The best possible "solution" to phishing combines a) hardware authentication, b) increasingly "locked down" web browsers, c) web site "reputation", and d) better anti-phishing protection in email services and software.

Companies like Cloudmark leverage a vast and very active user community to almost instantly detect and mitigate new phishing campgaigns. IronKey, founded by the president of the Anti-Phishing Working Group, is developing hardware tokens for authentication. IE7 and Firefox continue to improve their defenses against XSS attacks and the like. And there are good efforts underway to develop URL reputation systems that can help users avoid browsing sites that are dangerous.

Collaborative filtering works much better (2, Interesting)

spamstopper (978854) | about 8 years ago | (#15622300)

Unless this is a highly targetted and customised phishing attack. Collaborative filtering like cloudmark [cloudmark.com] works amazingly well. You can stop a phishing attack spread within a few minutes. Here is more info on collaborative filtering [stason.org] or google for it.

Educate, educate, and try to solve the issue (1)

ursabear (818651) | about 8 years ago | (#15622342)

On several fronts...

I think it is a interesting to see that researchers are trying to find ways to get Joe/Jane user to recognize that WYSINWYG with every website they visit. So maybe there are a few flaws in these folks' ideas... but they're trying to get education out (at least, on some level).

Educate yourself about the changing face of phishing. Help other folks by helping them understand phishing. Don't hesitate to try to find a way to reduce phishing.

Report phishing... if you can report it to the people whose site is mimiced, then do so. At least, you can report the phishing attempt to The Anti-Phishing Working Group [antiphishing.org] .


By the way, sometimes I'm a little slow (what's new?)... for those of you like me who didn't know what "PEBKAC" meant, here's the Wikipedia definition [wikipedia.org] .

Spoof Proof? (3, Insightful)

sqlrob (173498) | about 8 years ago | (#15622344)

She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are -- users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces

We're sorry, due to an upgrade, you've lost the personalizations to this site. We apologize for the inconvenience, please log in and update your settings.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...