Phishing study reveals lack of knowledge among Internet users
Apr 3, 2006 3:41 PM
Solving the puzzle of why so many people fall for e-mail-based phishing attacks was the driving force behind a recent U.S. research study, which reveals that consumers may not comprehend even the most basic Internet security indicators.
The study, conducted by Harvard University and The University of California at Berkeley, tested the responses of 22 participants to a range of Web sites, some fraudulent and some genuine. "The best phishing site was able to fool more than 90 percent of participants. Indicators that are designed to signal trustworthiness were not understood (or even noticed) by many participants," the report says.
Pop-up warnings about fraudulent certificates proved ineffective, with 15 out of 22 participants proceeding to the Web site without hesitation, while other basic security measures such as checking SSL certificates and inspecting the validity of the URL were overlooked by 23 percent of participants. The participants' key approach was to analyze the content of a Web page to determine legitimacy, leading them to make incorrect decisions 40 percent of the time.
"Successful phishers must not only present a highly credible Web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in Web browsers," the report says.
"By using very simple spoofing attacks, such as copying images of browser chrome or the SSL indicators in the address bar or status bar, we were able to fool even our most careful and knowledgeable users," the report adds.
Here is a list of the top seven anti-phishing myths, according to information security specialist Hexview, based in Woodland Hills, Calif.:
* Myth #1: Because a Web page is secure and encrypted indicates it is a valid Web site. Never rely solely on an "https://" prefix or padlock icon that indicate a "secure" page. It is possible for a phishing website to have a valid SSL certificate.
Myth #2: "Secured by [insert authority name]. Click here to verify." These messages are worthless. The splash window that comes up by clicking on the link does not guarantee that you are on a legitimate Web site.
Myth #3: The address bar always shows a correct URL. Vulnerabilities in browser software could allow phishers to spoof information in the address bar.
Myth #4: Moving mouse over a link shows the real URL in the status bar. Status bar text can easily be changed. In fact, it is even easier that spoofing the address bar content.
Myth #5: Anti-phishing software prevents scams. Similarly to antiviral software's inability to detect new malicious code, anti-phishing browser plug-ins (often offered for free by Internet providers) are incapable of detecting all phishing attempts.
Myth #6: An email containing your personal data is legitimate. If you receive the message from your bank and it contains your name and your account number (or a part of it), it might as well be a fraudulent email. Phishers can get access to some of your personal data by using public databases or data leaked from other organizations.
Myth #7: It is safe to log in once you know the Web site is legitimate. Web site vulnerabilities (called Cross-Site Scripting) could allow a sophisticated attacker to use the form on a company's Web site to capture your credentials by redirecting you to attacker's Web site as soon as you click "Login" button or hit "Enter."
Want to use this article? Click here for options!
© 2013 Penton Media Inc.
Today's New Product
In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.