There’s been a paper on phishing released recently (PDF download here) which examines phishing techniques and concludes that some of the spoof websites used in the study could fool as many as 90% of the participants involved in the study. 

90% seems awfully high to me but let’s assume that it’s right (I’m guessing that the reason for the high number of catches is that people were asked to determine if websites that they weren’t familiar with, such as a banking site that they don’t use, was a spoof or a real one).  What does this prove?  That it’s easy to create a clone of a website.  Big deal.  Copying the look and feel of a website is easy and relying on a logo and the underlying HTML is foolhardy to say the least.

I like the idea proposed by F-Secure – being able to upload a picture to the site that you are dealing with.  See the picture that you expect and you know that it’s the right site.  I’d like to see this notion taken further – for example, why not have your picture on the site to conform that it’s you.  As far as I can see banks put a lot of effort into verifying the customer but they don’t allow the customer to verify that they are who they say they are.

Security on the web has a long way to go, and I can’t help but feel that tokens will be the way to go (although as soon as some banks introduce this, expect other banks and companies such as PayPal to be hammered mercilessly as they become the low hanging fruit).

This entry was posted on Wednesday, April 12th, 2006 at 16:25 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.