WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anti-Phishing, why it doesn't work

From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Mon, 24 Jan 2005 10:31:22 -0800

On Monday, January 24, 2005, at 08:34  AM, Joseph Miller wrote:
We all know that the number one reason why Anti-Phishing mechanisms do not 
work is because of dumb users.  But there are other reasons why many
mechanisms may fail. IMHO, the computer display is another major culprit.
In my opinion, if users are dumb then this is precisely the reason why a workable solution is essential. While on the Web, users have very limited set of utilities assisting them in making educated decisions. They are on they're own so to speak. And if this is the case, we really can't expect users to defend themselves successfully.
An analogy might be something like a train station. Train stations have numerous warning signs, brightly colored paint, loud speakers, and sometimes even security guards all screaming "stay off the tracks". Also the trains themselves have loud horns heard from far far far away. These measures effectively help even dumb "people" make the proper decision to stay off the tracks and not get clobbered. Sure people still get hit by trains, but there a lot being done preventatively and the number of incidents is probably lower (Though I don't know for certain).
About your computer display observation, you make a good point. I also see the problem as that we can't be certain that the web site we're looking at is what we think it is. We HOPE it is, but can't be certain. So what assistance does a user really have? They could look for the little 10x10 pixel lock symbol. Which arguably doesn't help prevent phishing anyway. They can look and try to understand the URL in the location bar. But again, for any number of reasons, people are not going to be able to decipher URL's. Addressing an avenue of attack, cryptographically signed email. Anything else I missed?
The point is the technology solutions available to prevent phishing are a far cry from where they need to be. We can't give up on users because they might be dumb. Depending on the situation, any one of us could be considered dumb when tossed outside our element. 


Regards,

Jeremiah-
Previous By Date Next
Previous By Thread Next

Current thread: