Monday, May 07, 2007

Phishing and the retreat from the net

I believe fewer "regular folk" rely on the net than was true a few years ago, even as more use it purely for entertainment. I don't think this is a reasoned, conscious decision for most, I think it's more of an instinctive reluctance. I think this is why:
coding horror: phishing ...

... There's only one conclusion you can draw from the study's results: when presented with a spoofed web page, a large percentage of users will always fall for it. Forever.

Once that spoofed page is up, even if we use the extraordinarily optimistic estimate that only 15 percent of users will fall for it, that's still a tremendous number of users at risk. Given the poor statistics, the only mitigation strategy that makes sense is to somehow prevent showing the spoofed page to the user. The good news is that the latest versions of Firefox and Internet Explorer have anti-phishing capabilities which do exactly that: they use real-time, distributed blacklists to prevent showing known spoof sites to users. I visited the PhishTank site to gather a set of known phishing URLs to see how well these browsers perform.

Firefox may be using PhishTank as a source; every URL I visited showed the most severe warning, blocking the phishing site from the user behind a sort of smoked glass effect. Unfortunately, it's all too easy to click the little red X and use the page. I don't think it's a good idea for this dialog to be so easily dismissable, like any other run of the mill dialog box...

... I'm no fan of distributed blacklists, but I think they're a necessary evil in this case. Throughout the last ten years of incremental browser security improvements, users have always been susceptible to spoof attacks. It doesn't matter how many security warnings we present, or how much security browser chrome we wrap websites in. Phishing is the forever hack. If the phishing page is displayed at all, it invariably reels a large percentage of users in hook, line, and sinker. The only security technique that can protect users from phishing scams, it seems, is the one that prevents them from ever seeing the phishing page in the first place.

I don't think Camino is using a phishing filter yet, and I know Safari isn't. It's a prerequisite now.

More fundamentally, I think we're coming to the end of the first generation of the net. The next version won't be anonymous ...

No comments: