Security's Everyman

Security's Everyman

Friday, April 20, 2007

More on Phishing

The guys at Pauldotocm Security Weekly mentioned a paper about how the SiteKey service used by Bank Of America can be fairly easily bypassed and used to Phish your login credentials. The paper was done by Stop-Phishing Research Group at Indiana University. You can find the paper on Slight Paranoia. This is really good reading. I haven't read all the comments yet, but am hoping to get around to it later this weekend.

The thing that really caught my attention is that (as in all phishing attacks) this is possible because users don't pay attention. If you are on your own computer and aren't presented with the SiteKey image most people make the assumption that something happened and it is OK. So they nonchalantly reenter their information and suddenly they have been caught. Once again if we can just teach people the importance of paying attention when they are online we will eliminate most successful phishing attempts.

1 comment:

kurt wismer said...

i don't recall if i've mentioned it here or not, but it is the nature of human perception to fill in the missing details... that goes beyond simply not paying attention...

yes, it's true that if the user looked closely they'd probably notice something is wrong (just as if they looked closely at 2 nearly identical pictures they'd probably be able to find most of the differences), but if noticing a warning indicator has the same complexity as a brain teaser then the security feature will fail due to poor usability...

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.