A new approach against fishing

by Francois Joseph de Kermadec

Phishing is a science on the new Internet and an increasing number of users fall prey to some very sophisticated attacks conducted by specialized hackers. In some cases, phishing e-mails and messages are more convincing and true-looking than the ones actually originating form the companies they imitate and one can easily understand how so many users are deceived. After all, we all have our attention lapses our, my-boyfriend-just-dumped-me-and-I-don't-give-a-damn-about-the-whole-world moments and, if only to guard ourselves against our periods of inattention, it is becoming important to find ways to thwart fishing attempts.

I was reading today an article on phishing, published by two of O'Reilly's finest security experts and a couple points grabbed my attention: according to the authors, phishing attacks succeed so easily because users are confused by the long, complex procedures that routinely are forced on them and should be able to detect phishing e-mails because they are poorly worded.

Hmm… If this is all so simple (of course, the article introduces some excellent mitigating factors but I don't want to spoil the surprise), how come users don't distinguish between legitimate and malicious e-mails? The more I think of it, the more I am forced to admit that the quality of e-mails we routinely receive from companies is about the same than the fishy e-mails.

Whoever has used PayPal, eBay or Amazon knows how sheerfully confusing their sites are: forms are endless, URLs cryptic beyond belief (I sometimes think the Amazon developers play a game consisting of stuffing as many "%" in the address bar as possible until a browser crashes) and the prompts do not make any sense, even to a relatively comfortable user — what the hell is PayPal doing while, redirecting from an HTTPS page to another HTTPS page, they insert a message stating they are "switching to a secure connection"?

Given the mess legitimate companies present their users with, how can we expect them to not take phishing e-mails for granted? Maybe if companies could decide on simpler URL schemes, better laid out forms and more straightforward marketing practices (such as not sending the same mails 3 times because their server went bonkers), would users then think something is amiss when receiving a message asking them to "update information theirs to continue account"?

My name, for example, is, I think you will agree, confusingly French. The result? No company out there spells it the same way and I have already been greeted on Amazon with "Hello Rdfd4RR3ercdcfdf43RT4R5!", thanks to some unexplained glitch with their character encoding engine. Fun, yes, but slightly distressing given the same people claim they need my name to "appear exactly as it is on my bank statement" and fail to notice any discrepancy between "François Joseph de Kermadec" and "Rdfd4RR3ercdcfdf43RT4R5" while processing the payment request.

Of course, phishers could then kick their work up a notch and get into designing polished sites. Only this requires considerably more time, energy and, well, good taste, that the average crook may be willing to invest. Sure, some would do it, but how many? And, more importantly, how many users, once in full control of their interaction with a company, would still believe eBay is in dire need of their new credit card number on a Sunday evening?

The real world also introduced notions that were beneficial in helping users make informed decisions: business hours, hierarchy, uniforms, the fact the real world employees don't give a damn about you… If I saw a hyper friendly cable guy ring my door bell on Saturday evening, wearing a purple corduroy suit and asking me for my banking information, I wouldn't believe it for a second to be legitimate. Why? Because the cable guy does not need to know about my account information (his hierarchy in the company does not allow it), Saturday evening is not a time at which cable employees work (business hours), cable people usually wear a blue polyester shirt (uniform) and they are never, never friendly (the mood test). While transposing their business in the online world, companies made away with most of that: they kept changing their look (the online equivalent of a uniform), sat up servers to do the mass mailing at night (away with business hours), hid their actual hierarchy behind overly generic names (customer satisfaction department?!) and hired PR people so that every communication would be obscenely cheerful and "corporate-sounding", therefore taking away any possible mood or language test. I don't mind someone being rude at me if that is a way for me to ascertain that he is who he claims to be.

Yes, phishing e-mails are the equivalent of your corduroy-wearing cable guy: you should be able to detect them immediately.

Phishing is a complex problem and this is by no means a panacea. However, being the anally retentive believer in "best practices" I am, I cannot help but yearn for a logically organized Internet, where people who are reasonably willing to pay attention to what is presented to their eyes (which, presumably, is not everyone), could make sense of it.


2005-10-26 09:09:25
RE: "switching to a secure connection"
[quote]what the hell is PayPal doing while, redirecting from an HTTPS page to another HTTPS page, they insert a message stating they are "switching to a secure connection"?[/quote]

Wow. It is always interesting to see how non-technically literate people interpret things, but kind of unusual to see them posting articles on this site.

PayPay doesn't insert that message, IE does. Sometimes MS will change there browser so that things that previously didn't cause any problems will suddenly cause security messages like that to appear on legitimate sites. Usually they are wrong, and serve no real purpose other than to confuse a lot of people (like you), and to teach people to dismiss all alerts without trying to understand them. Feel sorry for the hapless developers who are always having to work around IE's UI disasters.

2005-10-26 09:18:14
RE: "switching to a secure connection"

I fear we are not talking about the same message!

The one I am talking about is definitely part of the PayPal website, is even beautified with a couple links and, if memory serves well, a GIF image. I do know about dialogs warning users they will switch to a secure connection and this is definitely not what I had in mind here…

Also, I haven't touched Internet Explorer for a long time but for the occasional Quality Assurance process.

You do raise a valid point about browsing having a limitless potential to confuse users, though!