!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> Streamline Training & Documentation: Don't Blame Phishing Victims

Friday, February 15, 2008

Don't Blame Phishing Victims

A research paper (pdf) published in 2006 by Rachna Dhamija (Harvard), J. D. Tygar (Berkeley), and Marti Hearst (Berkeley) indicates why even well-informed and experienced Web users can be fooled by phishing sites. As the paper's abstract explains,
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
I would echo the authors' recommendation that we give up on preventive measures of the "be careful" sort, and move firmly in the direction of hardening Web sites, and the way in which they are accessed, so that people don't have to play the internet equivalent of Russian roulette when using sites to conduct business and obtain information.