Research finds no way to beat phishing

One of the largest studies yet into phishing has concluded that people will always be fooled by phishing sites, regardless of technical knowledge.

The study, conducted by Harvard University and UC Berkley, showed respondents twenty web sites, 13 of which were set up for phishing. They found a good phishing site will fool nine out of ten web users and that anti-phishing technology was ineffective at alerting them.

"Even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate web site and a spoofed one," the report, " Why phishing works", states.

"Our study suggests that a different approach is needed in the design of security systems. Rather than approaching the problems solely from a traditional cryptography-based security framework a usable design must take into account what humans do well and what they don't do well."

The team found that nearly seventy per cent of testers would carry on using a site even after getting a pop up window telling them the site was fraudulent. While many of the testers lacked the knowledge to check that SSL was working many didn't even check the web address in the browser's address bar to check if a site was legitimate.

The lack of knowledge was shocking in some cases. One tester, after entering her user name and password in a phishing site said:

"What's the harm? Passwords are not dangerous to give out, like financial information is."

But even technically savvy testers regularly got fooled by professional looking sites, as was demonstrated with a fake Bank of the West site with the URL www.bankofthevvest.com. This fooled the most technically knowledgeable testers, including those with expert security and only one tester in her fifties spotted the flaw.

The authors suggest that web sites need to be radically redesigned to make them more personal.

One idea put forward by F-Secure would be for users to embed a favourite photo on the web site as part of membership to show the site was legitimate.

"Why don't banks allow you to customize your online banking interface with a picture of your preference? Like your own mugshot? Your pet? Your country's entry to the Eurovision song contest?" said the company in its blog.

"Something that would relate to you - something that you'd miss if it weren't there. There are companies that are working on visual personalization technology; we think it's a good idea that could help to reduce the size of the phishing net."