[LINK] "Why phishing works"

Paul McGowan paul.mcgowan at yawarra.com.au
Fri Mar 31 10:31:25 EST 2006 

Richard summarised:
> The essence of the paper is that people are stupid (we knew that, of 
> course!), and in judging whether a Website is "genuine", they look at 
> the content of the site itself...

>From the article:
"Participants proved vulnerable across the board to
phishing attacks. In our study, neither education,
age, sex, previous experience, nor hours of computer
use showed a statistically significant correlation with
vulnerability to phishing."

Now, to me this doesn't say that people are stupid.  Quite the 
opposite, in fact.  To my mind, this points to a fundamental problem 
with a system (in this case, online banking) that relies entirely on 
the user for security.  

As Schneier has argued on many occasions, this system is flawed 
because it is based on user authentication, not transaction 
authentication.  Once someone is logged in, the banks conveniently 
assume that everything they do is legitimate (and say as much in 
their T&C's), along the lines of "You are responsible for securing 
your password, if you lose it, or give it out, tough, that's your 
problem..."

This is just plain wrong.  The place to secure the banking system is 
at the bank, not on Jane Doe's (or is that Doh!) spyware laden 
Windows* box.  You have as many points of failure as you do 
customers, and that cannot work.  Given the prevalence of phishing 
and the mighty success it is having, it plainly doesn't work.  This 
paper helps to understand why, but sorry Richard, "people are stupid" 
doesn't help either.  People are human, and have to be allowed to 
make mistakes.  A properly designed system will compensate for those 
mistakes and require more than one failure before all your money goes 
dancing off to swim with the phishes...

Best regards,

Paul McGowan

[*] No, I am not having a go at MS, I am having a go at the banks
-----------------------------
Yawarra Information Appliances Pty Ltd
http://www.yawarra.com.au/
Tel: 1300 859 799 / (03) 9800 2261
Fax: (03) 9800 2279
PO Box 606, Boronia VIC 3155

More information about the Link mailing list