[LINK] "Why phishing works"
paul.mcgowan at yawarra.com.au
Fri Mar 31 10:31:25 EST 2006
> The essence of the paper is that people are stupid (we knew that, of
> course!), and in judging whether a Website is "genuine", they look at
> the content of the site itself...
>From the article:
"Participants proved vulnerable across the board to
phishing attacks. In our study, neither education,
age, sex, previous experience, nor hours of computer
use showed a statistically significant correlation with
vulnerability to phishing."
Now, to me this doesn't say that people are stupid. Quite the
opposite, in fact. To my mind, this points to a fundamental problem
with a system (in this case, online banking) that relies entirely on
the user for security.
As Schneier has argued on many occasions, this system is flawed
because it is based on user authentication, not transaction
authentication. Once someone is logged in, the banks conveniently
assume that everything they do is legitimate (and say as much in
their T&C's), along the lines of "You are responsible for securing
your password, if you lose it, or give it out, tough, that's your
This is just plain wrong. The place to secure the banking system is
at the bank, not on Jane Doe's (or is that Doh!) spyware laden
Windows* box. You have as many points of failure as you do
customers, and that cannot work. Given the prevalence of phishing
and the mighty success it is having, it plainly doesn't work. This
paper helps to understand why, but sorry Richard, "people are stupid"
doesn't help either. People are human, and have to be allowed to
make mistakes. A properly designed system will compensate for those
mistakes and require more than one failure before all your money goes
dancing off to swim with the phishes...
[*] No, I am not having a go at MS, I am having a go at the banks
Yawarra Information Appliances Pty Ltd
Tel: 1300 859 799 / (03) 9800 2261
Fax: (03) 9800 2279
PO Box 606, Boronia VIC 3155
More information about the Link