Browsers, phishing, and user interface design

Browsers, phishing, and user interface design
Scott Granneman, 2006-06-05

Phishing works for so many reasons, we need to rethink browser and user interface design to provide some real-life security to the average user who doesn't see or understand the security cues.

Occasionally a criminal is so, well, clever that you have to admire him even as you wish that he spends the rest of his life in jail. Take Arnold Rothstein, for instance. One of the kingpins of organized crime in New York City during Prohibition and before, the "Great Brain," as he was termed, was more than likely behind the infamous Black Sox scandal, in which the 1919 World Series was fixed in favor of the Cincinnati Reds. He is also widely credited with inventing the floating crap game immortalized in Guys and Dolls. Like some character out of a Damon Runyon story, Rothstein's "office" was outside of Lindy's Restaurant, at Broadway and 49th Street, and he associated with gangsters whose names still trip off the tongue three-quarters of a century later: Meyer Lansky, Legs Diamond, Lucky Luciano, Dutch Schultz. When it comes to colorful, clever criminals, Rothstein is at the top of the heap.

And then, on the other end of the scale, today we have the phishers. Scumbags of the Web, phishers vomit out emails to as many millions of people as they can possibly reach, hoping that a tiny few will respond to their fraudulent request to update their account information at PayPal, eBay, or CitiBank (or just about any other bank you can imagine). This is an enormous problem, and it's not getting any better. I recently read a fascinating study that shows just why that's the case.

If you haven't read "Why Phishing Works" (850 kb PDF) - written by Rachna Dhamija, J. D. Tygar, and Marti Hearst - stop what you're doing now and go get it (or at the very least, read a short summary of what it offers). In just ten pages, your eyes will be opened to just how much of a problem the public - and the security people tasked with protecting them - really face. I knew it was bad, but I had no idea it was this bad.

Basically, the researchers sat a variety of folks down and had them use some web sites. Some were fakes created by the team, and some were not. After watching what the participants did with the web sites, the researchers quizzed the users as to the motivations for their behaviors. The results are eye-opening, to say the least. Here's some of the scarier things I learned from "Why Phishing Works".

Think that cues in the browser will help? Forget it.

When Firefox 1.0 came out, I thought it was a major benefit that the background color of the address bar changed to gold when you were on a site using HTTPS. "How cool!" I remember saying to a friend, "In addition to the gold lock, the entire address bar is gold too. That'll make it even more obvious to people that they're on a secure site!" And that was in addition to the other three indicators that Firefox provides. How utterly naive of me.

In the study by Dhamija et al., 23% of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the web site can't set cookies.

Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.

URLs don't work with everyone either

Some users pay attention to the fact that the address bar changes as they travel through a web site, but they don't really have the foggiest idea what the URL itself means. This extends to HTTPS as well. IP addresses do raise alarms, however ... although the users don't really know what those are. They just find numbers suspicious.

Users fixate on the weirdest things

The site that fooled all but one participant in the study was for Bank of the West (that's a link to the real web site ... or is it?). On that site was a cute animated video of a bear. Evidently that tickled a number of the users who reloaded the page several times to see that animated bear. In fact, some of the participants said that the animation was proof that the site was legit, since it would take too much effort to copy it!

The ordinary folks in the study also figured that if a site has ads on it, then that increases the likelihood that it's not a fake. Likewise, the presence of a favicon (the little icon that appears in the address bar to the left of the URL) was deemed indicative of a site that was not out to steal your money and identity. Amazing what people glom onto.

It's incredibly easy to fool people

I was astonished to read - which again shows my naiveté - that some of the people tested in the study were not only unaware of the term "phishing," but were also surprised that anyone would even engage in such criminal behavior in the first place. In the face of such ignorance, it's no surprise that phishing works.

Others might be aware of phishing, but either ignored or were unsure how to use the various cues provided by the web browsers. This isn't exactly surprising when you consider that they were asked by the browser to "Accept this certificate temporarily for this session." Would your uncle or grandma know what a "certificate" is? How about a "session"? Didn't think so.

Story continued on Page 2

Scott Granneman teaches at Washington University in St. Louis, consults for WebSanity, and writes for SecurityFocus and Linux Magazine. His latest book, Linux Phrasebook, is in stores now.