 |
 |
 |
|
|
||
|
|
 |
|
 |
Sophisticated phishing scams could be fooling 90% of people targeted, study suggestsApril 2006:An academic study has investigated whether web users could tell legitimate online bank websites from fake sites produced by phishers. Though many phishing sites were easy to spot, the best were judged real by almost all participants. The research was carried out by post graduate student Rachna Dhamija of the Harvard Center for Research on Computation and Society, Professor Doug Tygar in the department of Computer Science at Berkeley and Professor Marti Hearst at Berkeley. It found that users ignored most of the visual cues on browsers that warn people that they are being scammed. The academics suggested that website designers needed to re-think ways of flagging-up dangers to users. The study examined bogus websites created by phishing gangs and analysed what made users believe that these sites were legitimate. Statistics produced by the banking industry suggest that, on average, 5% of those that get phishing e-mails visit an associated website and may be fooled into handing over data. On more sophisticated scams, many times more people are taken in. The study presented real online banking and fake phishing sites to subjects to see if they could tell the two types apart. On average, 40% of users failed to spot the phishing sites. The most sophisticated site caught out 90% of the 22 people participating. The study revealed that people were caught out because they were generally ignorant about what did, and did not, indicate that a site was legitimate. For instance, few of those participating looked at the domain name displayed in a browser address bar. The problem, said the researchers, was that "the indicators of trust presented by the browser are trivial to spoof". John Brand, MD of authentication specialist Identrica, commented that the study demonstrates again that user education on its own will never be a sufficient defence against phishing. "The phishers and their attacks are constantly becoming more sophisticated, and this study didn't even consider the far more insidious problem of 'trojan' attacks. Victims don't need to be stupid or even very careless to be caught out." Brand believes that strong, two-factor authentication is the only real answer. "Because people can always be lured into giving away their secrets, strong authentication needs to check that they not only know a password or PIN but also actually possess some physical item unique to them. Even the most determined phisher can't steal that over the Internet." |
|
 |
copyright © 2006, identrica. |