Situation is not looking good for the good-guys combatting phishing.
Various toolbars and browser plug-ins were the heralded solution against the plague of emails arriving from Eastern Europe, urging unsuspecting users in badly mangled English to visit a random website and provide personal information. At first it even appared to be working. Then came the signs that not all was well.
One study commissioned by MSFT showed that IE7 was best-of-breed among existing solutions. (Full disclosure: this blogger is employed by Microsoft.) Not to be outdone, the Mozilla foundation, the non-profit organization behind the open source Firefox web browser, conducted its own study and not surprisingly crowned the anti-phishing feature of Firefox 2.0 as the winner. Either study would have been easy to dismiss based on the funding/affiliation.
But then academia took interest in the problem and a group at Carnegie Mellon published a study showing that in effect none of the technologies were very good. Even the best one missed 15% of confirmed phishing pages at least 24 hours into the life of the scam. (Because the average site stays up 4.8 days according to the Anti-phishing Working Group, most of the damage is done very quickly and it is imperative for defenses to kick into action promptly.) Surprisingly the best toolbar in this study was 2004 vintage, an open-source solution developed at Stanford University which relied purely on heuristics and without the benefit of a costly-to-maintain blacklist of known phishing sites. Unfortunately SpoofGuard had its own Achilles heel: it had a very high false positive rate, or classifying legitimate websites as phishing. This is equally damning because a security warning that cries wolf all the time is the one that will get ignored when it is justified.
But there is hope, the optimists could argue. After all the CMU study only considered phishing filters that integrate into popular web browsers and attempt to warn the user when they are lured to a phishing website. That’s not the only paradigm for combatting phishing: a more promising approach gaining popularity involves personalizing legitimate websites for each user. For example, users can choose an image that will appear on their login page, allowing them to recognize whether a given site is the correct one at a glance. PassMark was one of the first companies to commercialize this approach, now use by Yahoo! in SiteKey, as well as Bank Of America and Vanguard.
At least that was the theory. A new paper from Harvard/MIT team appropriately titled “The Emperor’s New Security Indicators” suggests that it does not work very well as deployed. As reported by the New York Times (the fact that this is even covered in NYT suggests how main-stream internet security has become) the researchers found that the majority of users were happy to ignore missing images and provide their credentials anyway.