WebApp Sec mailing list archives
RE: (not really a) Proposal to anti-phishing
From: "Mike Andrews" <mike () se fit edu>
Date: Mon, 24 Jan 2005 12:35:48 -0500
I remember doing a quiz on phishing some time ago. After much digging, here's a link to the quiz (version 2) http://survey.mailfrontier.com/survey/quiztest.html Sorry, it doesn't give any results of the survey - perhaps someone could email the company and ask about the results, especially which ones people didn't get. Cheers, Mike.
-----Original Message----- From: Rishi Pande [mailto:rishi.pande () gmail com] Sent: Monday, January 24, 2005 11:16 AM To: Scott, Richard Cc: webappsec () securityfocus com Subject: Re: (not really a) Proposal to anti-phishing I agree that user education is important. I would be interested in seeing if younger users - ages 20 and below - who basically grew up with the internet are less gullible to phishing scams. Any pointers to such research or anyone willing to take this matter up will be appreciated. If someone wants to take this up, I am also willing to help them out. On another note- this reminds me of something one of my professors used to say- People who surf the internet should have to give a test before they ever get on, just like the drivers test. Rishi On Wed, 19 Jan 2005 11:14:09 -0600, Scott, Richard <Richard.Scott () bestbuy com> wrote:Without getting in a technical debate - I don't think any technical solutions exists for the social problem that we have. That is, it does not matter what solutions are in place, if users are willing to give out personal information without thinking of the context they are giving it then there isn't much hope. For example, for the phishing attempts I have seen, web sites are used to trick the user that an order has been cancelled or some sort of process is on hold. To release the order for delivery, or to correct information, the user is asked to enter in information. Now, why would a web site that sells goods and services ask for my Bank account PIN? Why would I enter in my SSN to a site that does not need it, or to a site I have never visited? Why would I give out my mother's maiden name? There are two problems I see that need to be corrected: (1) Users give out too much personal information without good justification. Users should be educated in giving out information. (2) Corporations need to stop residing on certain data elements for authentication. Why on earth do financial and health institutions ask for the last 4 digits of an SSN - when the last for digits is more ready available than the full number. The logic just doesn't make sense. The three simple concepts, education, awareness and better use of data will do more to prevent phishing than an expensive security mechanism. Obviously, there may be some phishing scams that involve, for example, bank web sites etc. But if banks went on record to state they would never solicit information using that medium, we simple just communicate that to the population. <End Rant> Cheers, Richard
Current thread:
- RE: (not really a) Proposal to anti-phishing Evans, Arian (Jan 19)
- <Possible follow-ups>
- RE: (not really a) Proposal to anti-phishing Scott, Richard (Jan 23)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Wall, Kevin (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Scovetta, Michael V (Jan 24)