Tuesday, June 26, 2007


Gone phishing

Chase Bank Online® Department Notice

You have received this email because you or someone had used your account from different locations.
  For security purpose, we are required to open an investigation into this matter.

In order to safeguard your account, we require that you confirm your banking details.
  To help speed up this process, please access the following link so we can complete the verification of your Chase Online® Banking Account registration information :

[URL omitted here]

Please Note:
  If we do no receive the appropriate account verification within 48 hours, then we will assume this Chase Bank account is fraudulent and will be suspended. The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community.

  We appreciate your support and understanding and thank you for your prompt attention to this matter.

  Chase Bank - Chase Online® Banking Department
 ©2007 JPMorgan Chase® Co.
  Please do not reply to this email as this is only a notification. Mail sent to this address cannot be answered.

Would that message have convinced you, assuming you have an account there, to click the link they provided and “log in”? Probably not, because of some bad grammar and odd formatting (note the blank spaces at the beginnings of some of the lines, but not enough to count as paragraph indentation). But such “phishing” messages — usually better-written ones than that — trick many people, and banks, credit card companies, online payment systems, and other targets of phishing are doing what they can to educate their customers.[1]

You've seen the warnings: don't click on links in email messages (always type the address into the browser yourself, or use a bookmark that you created). These are often accompanied by advice about what to look for in the email or when you reach the real web site. The mail will contain information that the phisher couldn't know (real eBay messages, for example, have your eBay user name, while the phishing messages don't — though they often say they do). The web site may use alternative identification techniques, such as personally chosen pictures or phrases. And there are clues in the browser itself: a “lock” icon and other indications that you have an encrypted (SSL) connection to the web server... and you should always look closely at the URL to make sure it's right (www.borgbank.com/login, not www.stealmymoney.com/borgbank/login).

But how well does all that work? How well can it work? Does the average Internet user understand all this enough to really tell whether something is real or fake? Will you notice that a URL of www.borgbank-login.com or www.b0rgbank.com (that's a zero in place of the letter o) isn't right? If the phishing site puts a padlock icon at the bottom of the web page, will you really notice that it's in the page content, not in the browser frame? Do you know the difference? Do you understand what the padlock means?

Harvard researcher Rachna Dhamija and her colleagues look at these and related questions in two excellent papers:

  1. Why Phishing Works, which was presented at CHI 2006 (or get the paper from Dr Dhamija's web site here), and
  2. The Emperor's New Security Indicators, which was presented at the 2007 IEEE Symposium on Security and Privacy (and also available here).

In “Why Phishing Works”, the researchers cloned a bunch of web sites, some real and some fake (phishing), and presented them to some volunteers, who were asked to determine which were real and which were not. They threw in some very well-faked sites, as well as some badly done real ones. They also had the volunteers answer some questions about what they did and what they thought it meant.

No one got them all right, and one fake site, using the URL www.bankofthevvest.com (note the double v replacing the w in “west”) fooled all but one participant, including all of the more savvy ones. What's more, the study showed that a major reason that phishing works is that most users are not only fooled by sophisticated techniques, but they don't understand enough about web site security to defend themselves against even “simple” or “obvious” — unsophisticated — techniques.

Most users do not know what security certificates are or how they're used, and thus don't understand the meanings of the browser's popup warning about suspicious ones, nor the consequences of just clicking “accept” on the popups. They don't understand what the lock icons mean (and actually believe that an icon in the page content is a better security indicator than one in the browser frame). They don't even notice most of the security indications in the browser.

The second study gave similar results, this time asking the participants to go to a banking web site and perform some banking transactions. The participants were either given credentials to use while playing a role assigned to them, or asked to use their own accounts to log in. They were then presented a series of increasingly obvious security risks, to see when they would say, “No, something's wrong here, I'm not entering my password.”

No one in the study balked at the simple lack of SSL encryption (no padlock icon, no https in the URL). It took a glaringly obvious warning popup to make a significant number stop... and even then, more than half logged in anyway. (This study did show that they were likely to take more risks with the account they were given for the study than with their own account, implying that studies that ask participants to play an artificial role (which is usually what they have to do) may automatically introduce a bias.)

Both papers are worth reading, if you're interested in this sort of thing. I particularly like the first paper, “Why Phishing Works”, for what it shows about what users don't understand. The bottom line here ought to be obvious, but it seems that it's not: we can't rely on users to make computer-security decisions, because users generally don't know enough about computer security to even hope to try. Any answer to a security problem that includes “educate the user” will fail. Look at the numbers and look at the survey results: few users understand even the first steps to securing their online lives, nor should they be expected to. We have to solve the problems in other ways.

And a side point: It doesn't help that legitimate sites often require that users ignore what we're trying to teach them. When a site lets its SSL certificate expire or uses a self-signed one, it's teaching its users to click “accept” when they shouldn't. When a site makes an ill-advised attempt to smarten up its login screen and winds up hiding the SSL behind javascript, it's teaching its users not to worry about the padlock icon. When a site uses “authentication images” and then misrepresents how secure that makes things (see the “Discussion” section of the second paper), it's teaching its users that they don't need to be alert to the variety of attack methods that are out there.

It's possible to do business online safely, and if you're reasonably cautious you're probably fine. Now... are you sure you're being reasonably cautious?

[1] Just so it's completely clear: the message I posted at the beginning of this post is a real message that I received the other day, is absolutely a scam, was sent by a scammer, and has nothing whatever to do with the real Chase Bank.

1 comment:

mitmwatcher said...

Phishing works..even the bank officials fall trap of it here is simple Case
Similarly It is funny to see these type of messages
from banks to confuse users .
User Education will not solve the problem as we cant expect users to change their habits.
I have blogged about this