Why phishing works

September 18, 2007 at 11:12 pm 1 comment

Frankly, sometimes I tire of hearing about user stupidity. The moaning of “if only users could be more careful” and “we need to educate our users better” ignores the reality of how online security really works in practice.

Phishing works because most online customers are unable to protect themselves. Expecting them to do so is simply a false hope and makes for poor security outcomes.

A study by Rachna Dhamija, J D Tygar, and Marti Hearst of Harvard University and UC Berkeley called Why Phishing Works (pdf 851 KB) provides empirical evidence about which malicious strategies are successful at deceiving general users. The study concludes that:

“…even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate website from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants.” (emphasis added)

The study is worth reading in detail as it shows how common steps websites expect customers to take are, by a wide margin, unrealistic and amount to a flawed approach to online security.

The padlock, address bar changing colour, presence of favicon, animated graphics, “accept temporary certificate for this session”… all of these were either invisible or wrongly interpreted by most users.

Time for a test. If you saw the URL http://www.bankofthevvest.com would you accept it as that of Bank of the West? Look carefully, it should be “west” not “vvest” (i.e. “w” not two “v”s). This one fooled all but one of the participants.

Got me too.


Entry filed under: authentication, fraud, report, security, strategy.

Data undermining privacy On pause till about 10 Oct

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: