Tuesday, February 6

Phishing Special Report

Another interesting paper from RSA’S Anti-Fraud Command Center (AFCC)...
Phishing Special Report: What we can expect for 2007

Phishing attacks are more numerous, more varied and more creative than ever. And this on the heals of a NY Times report about a study by a few MIT and Harvard researchers that suggests that site-to-user authentication (generally believed to be a good anti-phishing solution) is ineffective for many users. The full report is available here.

I enjoyed Don Park's comment on the subject:
While I have little doubts about their integrity, I do wonder if the study is not flawed. For example, doesn't using people who willingly let others observe them signing into their bank account for such a study skew the result? It's probably not as bad as counting virgins among prostitutes but I would like to hear more about how they accounted for such problems.
The report does note that participants may have had reason to behave less securely than they would in the real world. But I'm not completely surprised at the report's findings -- the report isn't really saying anything about technology -- it's talking about people.

An interesting premise was made by the researchers:
In real life, security is rarely a user’s primary goal.
Based on the context of that statement, I believe what they're really saying here (in an understated way) is that security is often the furthest thing on a typical user's mind -- the site-to-user authentication (and other security technologies) failed because the user's weren't even trying to look for them. So, even if the technology is effective, it's vitally important to educate end users about how the technology works and what's at stake.

Things are clearly going to get worse before they get better. Since there's no silver bullet that can put an end to all phishing attacks, we can only attempt to provide the right tools and educate people as much as possible.

Don't run with scissors... Look both ways... Wear a helmet... and always verify your financial institution prior to providing credentials. OK - I need help with the wording, but the point is that we need to get more mainstream about on-line security education.

1 comment:

Mohamed said...

I agree, user awareness is the ultimate defense mechanism against phishing and any other identity risk. However, I just don't envision many users investing their personal time in understanding these elements. It seems obvious that one would want to protect themselves and yet, the # of incidents continue rising due to lack of awareness. Furthermore, users may feel that verifing HTTPS indicators and other security objects prior to each log-in attempt is a little invasive and time-consuming. I think it would be useful to provide users with a suite of identity protection tools that for instance, would notify them via SMS whenever a log-in authetication to their bank account is initiated. And if there was truely an unauthorized attempt, the user should be able to instantly lock their account using SMS or a more convienent method rather than having to call customer service each time...

It's really going to be interesting to see how far we progress in the next 5 yrs or so...