Duping users into revealing their private data goes back decades, but it wasn’t until the late-1990s that “phishing” became the word to describe the practice. Today, phishing costs banks, service providers, and consumers billions of dollars per year, and companies are working frantically to limit the damage. A survey by Gartner estimated that more than three and a half billion dollars were lost to phishing in the United States in 2007 alone.
Phishing typically refers to the process where a fraudulent, but realistic looking Web service or application is created to collect personal information such as username and password pairs, bank accounts, credit card numbers and social security numbers. These accounts are then used from everything from spamming operations to bank fraud and identity theft. In some cases the phishing sites are not even fraudulent, but the servers have been compromised or the front end is vulnerable to Cross-Site Scripting (XSS) attacks or Cross-Site Request Forgeries (CSRF/XSRF). In other cases multiple techniques are used and include viruses and malware.
With more than a billion people online, ensuring that none of them fall prey to phishers is nearly impossible. The stakes are high, so there is a tremendous amount of effort being put into preventing and mitigating phishing by industry, which has done much to stave off the problem even though the number and sophistication of attacks have rapidly increased. In addition, there is also a significant amount of academic and industrial research into phishing that has received limited exposure in the press. In this article, I will summarize several important contributions from the last few years, as well as outlets to investigate for further research. One common theme across each of these papers is the recognition that usability and design are tightly connected to the effectiveness of security implementations.
Users Too Trusting
One of the most remarkable aspects of the problem is that despite warnings, many users will fall for even basic phishing attempts. In The Emperor’s New Security Indicators *presented at the *2007 IEEE Symposium on Security and Privacy by Schechter, Dhamija, Ozment and Fischer the authors show that users will continue to enter credentials into online banking sites even when security indicators are removed and warnings are displayed. For example, of roughly half the users who completed the study using their own personal accounts, 92 percent continued to log in even after the user selected verification image was removed (offered on sites such as Bank of America, Vanguard and Yahoo!) and replaced with a note saying that the security system was currently being upgraded.
Sadly, the efforts by vendors to help users recognize phishing often fail. One paper presented at The Conference on Usability, Psychology, and Security (UPSEC ‘08) indicates the difficulties that services face when attempting to mitigate phishing attacks. In RUST: A Retargetable Usability Testbed for Website Authentication Technologies, Johnson, Atreya, Aviv, Raykova, Bellovin and Kaiser conducted work building on Schechter et al., which evaluated Microsoft CardSpace and Verisign Secure Letterhead. The authors found that even though the vendors has made explicit design choices that attempt to offer resistance to phishing, when implementing these new authentication technologies users could still be guided into a fraudulent Web site at an earlier point in the interaction. For example, most users who received an email directing them to a “secure” site would still enter their credentials if the site looked relatively convincing and they received a message saying the site was partially down for maintenance.
User Passwords
One successful phish can be applied across multiple accounts. One study, A Large-Scale Study Of Web Password Habits presented at the The 16th International Conference on World Wide Web WWW ‘07 by Dinei Florencio and Cormac Herley from Microsoft research describes findings from an experiment that collected data about account and passwords from more than a half a million Microsoft Toolbar users. It’s widely accepted that most individuals maintain a limited number of passwords compared to the number of locations that they need to enter a password. Typically, one password for sites they consider to be very secure, such as online banking, and several passwords for sites they consider less secure. Users increase the number of passwords when sites require frequent password changes or have specific restrictions on combinations of numbers, letters or punctuation characters. The problem is that in current practice large service providers are not islands. We know that individuals reuse credentials across sites and therefore likely have the same credentials at both large and small sites, meaning that each site has the potential to be the weakest link in a global authentication chain.
Florencio and Herley’s research is useful and important as it provides a large sample of user behavior surrounding passwords and account use. The authors found that the “average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of eight passwords per day.” Their data showed that 0.4 percent of users type their credentials into a verified phishing sites each year and that users forget their passwords frequently, in the case of Yahoo!, about 1.5 percent of users a month. This means that the mechanisms to recover or reset passwords when users forget them are critical.
Ariel Rabkin presented Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook at The 4th Symposium on Usable Privacy and Security (SOUPS ‘08). His research examines the additional security questions typically used during the password recovery process when the user has forgotten his or her password. Rabkin evaluated the security questions from twenty banking and investment Web sites and broke them into categories of ambiguous (could have more than one answer); not memorable (user was likely to forget); inapplicable (was not relevant to the user); guessable (likely to be obvious); attackable (information available on social networks); automatically attackable (possible to harvest data and test); and secure. Only slightly more than one-third of all questions were classified as secure. This is troubling as many of the sites did not employ either CAPTCHAs, to deter simple automated attacks, or two-factor authentication, such as SMS for an additional layer of verification with the password recovery, even when they provided these mechanisms for standard authentication.
A new frontier for those who run phishing scams is in attacking the browsers on gaming and mobile devices. The number of consumer devices with full-featured browsers is growing rapidly and is not trivial. For example, in March 2009 Apple announced that it has shipped more than 30 million iPhone and iPod touch devices and Nintendo announced that it had shipped more than 100 million Nintendo DS units. Also at UPSEC ‘08, Niu, Hsu and Chen presented iPhish: Phishing Vulnerabilities on Consumer Electronics, which examined Web-browsers from three consumer devices: the Apple iPhone and two gaming devices, the Nintendo DS and Nintendo Wii. The authors conducted a study with iPhone users and found that design choices made for the limited real estate of the device made it impossible for even knowledgeable and security savvy users to adequately evaluate potential phishing sites. For example, there are no explicit anti-phishing protections built into either the mail client or the browser, (this feature is slated for delivery summer 2009), which could indicate to the user that something was amiss. In the Apple browser the URL was often abbreviated and easily faked with specialized JavaScript, while in the URL was often elided entirely by default and the SSL indicator is not available.
* This article originally appeared as You Can Fool Some of the People All of the Time: Research on Usability, Security and Phishing in the April 2009 issue of Messaging News.