Dave Naffziger's Blog

I continue to be amused by the misplaced notion that users can somehow be trained to avoid phishing scams. Over the last few months I’ve come across several studies that continue to reinforce this belief:

Users click on an ad Promising a Virus

I’m not sure if I could write a spammier ad. Didier Stevens ran this ad on Google. 409 people at a CTR of 0.16% clicked on the ad. I shudder to think what would have happened if he ad sent an email or spent time optimizing his ad text.

I wonder if Google considers these clicks click fraud?

SiteKey Useless Against Phishing - Users give up Password without Image
I have always been a vocal critic of the image-based authentication systems. The idea is that every user sees a custom image once they enter their username. If they don’t see the image, they are not supposed to enter their password.

Well, a recent MIT/Harvard study showed that 97% of users gave up their password if the image was missing. Read the full article at the NYTimes (reg required). Great, nothing like false security.

See ING Direct’s login screen below for an example of the SiteKey system in action.

Man in the Middle attack against SiteKey
OK, so we’ve already seen the RSA’s SiteKey is mostly useless if an image is missing. However, researchers have also demonstrated that it is possible for a phishing attack to show you the image, therefore completely mimicking the website.

It is kind of brain-dead obvious, but the basic principle is that all logins require a user to enter information. So, a phisher is able to replicate the entire experience:

1. User enters username on phishing site
2. Phisher enters username on banking site
3. Phisher sees image/phrase/whatever
4. Phisher presents image to user on phishing site
5. User enters password on phishing site
6. Phisher logs in to banking site
7. Phase 3: Profit