[ insider_reports_insider ]
Professor Studies Why Phishing Works
David Utter
Staff Writer
2006-10-05
 Insider Reports RSS Feed
Those who have spent a long time working with and learning about technology have found it hard to determine why non-techies seem more vulnerable to phishing attacks.
 | | Why Phishing Works |  |
At Indiana University, computer science professor Markus Jakobsson explores and researches the whole problem of phishing scams. Since these are primarily social engineering attacks against people, Jakobsson wanted to find out why certain attacks work.
Symantec Security Response blogger Zulfikar Ramzan posted about Jakobsson's assessment of behavioral vulnerabilities and trust abuse associated with phishing. Jakobsson's anti-phishing group brought in a number of subjects to observe why certain aspects of phishing work.
The study group viewed emails and web pages, and were asked to rate them on their likelihood of being a phishing attempt. Jakobsson screened the group to exclude computer science majors, as he wanted to see how people who are typical but non-technical users handled phishing attempts.
The subjects also had to explain their thought processes out loud, and they were aware that the experiment had been designed to test their ability to discern phishing from legitimate communications. Some interesting conclusions emerged, and we will summarize some of them here.
Subjects knew to do mouseovers of URLs, and were wary of ones containing an IP address instead of a domain name. But they also tended to trust domain names like "www.citibank-login.com" and "www.bankofamerica.pin-update.com."
Trust brands like BBB seals did not matter to the subjects, who were not influenced by their placement on a site. That could be discouraging to companies who have a business where the seals they make available to trustworthy sites are not having the desired impact on suspicious visitors.
While talking about money or transactions raised red flags, informative emails that did not call for immediate action were more likely to be trusted. That would be dangerous if a phishing attempt included a link at the bottom of a seemingly trustworthy, informative message.
One insight from Jakobsson echoed a similar statement I heard from TriCipher's Tim Renshaw, on the topic of educating users. Education only goes so far, as people will make poor judgments about whether or not a site is legitimate.
During a chat with Renshaw, he mentioned that a big problem with phishing comes from laziness on the part of financial institutions in attacking the issue. Losing money due to fraud can be handled, but losing data that can facilitate identity theft is not treated with the same urgency.
That makes it all the more important for people to demand better treatment of their online access to financial resources. The technology to make online banking even more secure, like SSL and digital certificates for users, has been available for some time.
While banks extensively use SSL, few if any seem to require their customers to have a digital certificate that can be used to verify the customer has connected to a legitimate site. The push needs to come from the financial institutions to enable this and knock out threats like phishing and man-in-the-middle attacks.
---
Tag: Phishing
Add to  Del.icio.us |  Digg |  Yahoo! My Web |  Furl
Bookmark SecurityProNews - 
About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.
More insider_reports_insider Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
