Phishing Special Report: What we can expect for 2007
Phishing attacks are more numerous, more varied and more creative than ever. And this on the heals of a NY Times report about a study by a few MIT and Harvard researchers that suggests that site-to-user authentication (generally believed to be a good anti-phishing solution) is ineffective for many users. The full report is available here.
I enjoyed Don Park's comment on the subject:
While I have little doubts about their integrity, I do wonder if the study is not flawed. For example, doesn't using people who willingly let others observe them signing into their bank account for such a study skew the result? It's probably not as bad as counting virgins among prostitutes but I would like to hear more about how they accounted for such problems.The report does note that participants may have had reason to behave less securely than they would in the real world. But I'm not completely surprised at the report's findings -- the report isn't really saying anything about technology -- it's talking about people.
An interesting premise was made by the researchers:
In real life, security is rarely a user’s primary goal.Based on the context of that statement, I believe what they're really saying here (in an understated way) is that security is often the furthest thing on a typical user's mind -- the site-to-user authentication (and other security technologies) failed because the user's weren't even trying to look for them. So, even if the technology is effective, it's vitally important to educate end users about how the technology works and what's at stake.
Things are clearly going to get worse before they get better. Since there's no silver bullet that can put an end to all phishing attacks, we can only attempt to provide the right tools and educate people as much as possible.
Don't run with scissors... Look both ways... Wear a helmet... and always verify your financial institution prior to providing credentials. OK - I need help with the wording, but the point is that we need to get more mainstream about on-line security education.