PHISHING THE COMMON USER. Interview with S. Egelman

How do common users react to a phishing attack? To know it better, a group of researchers at Carnegie Mellon University has carried out phishing attacks on a sample of users and studied their behaviors. They have presented their results this morning at CHI 2008, and the picture that came out is not reassuring from the security point of view. For example, 97% of the users believed the phising e-mail and went to visit the phishing site. At that point, 87% of the users which received passive warnings (and 21% of those who received active warnings) believed also the phishing web site and entered their data. I’ve asked some questions to one of the authors of the paper (Serge Egelman) and here you find his answers:

Why did you choose to carry out a study about phishing attacks on common users?
“Phishing is a growing problem which is costing banks and consumers billions of dollars each year.  Recently, software has started to address the phishing problem.  However, we were curious how effective the current software is, and how it could be improved.”

Based on your research, what are the reactions of users to a phishing attack?
“Most users are largely unaware of the problem, and tend to be fairly naïve when sending personal or financial information online.  Most users don’t seem to understand how easy it is to create a very professional looking website, and this is exactly why phishing is effective.”

Were there any differences between passive and active warnings? Where there any differences among browsers?
“Yes, previous research has shown that passive security indicators are generally pretty useless because users do not notice them.  Additionally, positive indicators are also useless (i.e. indicators that appear on "good" websites) because the bad guys can simply copy them.  Instead, negative active warnings are the best solution because they force the users to notice them and there’s little incentive for the bad guys to spoof them.  We found that significantly more users noticed the active indicators, and significantly more noticed the ones used by Firefox than Internet Explorer.”

What sorts of security user interfaces do you imagine to prevent phishing in the future?
“Well, there are two sides to the problem: detection and effectively warning users.  Until detection can be 100% perfect – if it were, it would just be a matter of automatically detecting the "bad" websites and filtering them out without even asking the user – we’re stuck with forcing the user to make a decision.  In order to do that effectively, the warnings should yield few false positives, present recommendations to the user, make the choices very clear, and present clear consequences as well.  In dire cases where the website is very likely phishing, these warnings should interrupt the user rather than simply relying on them to take notice.”

© 2008, Il Sole 24 Ore. Web report from CHI 2008.