WebApp Sec mailing list archives
Re: (not really a) Proposal to anti-phishing
From: Rishi Pande <rishi.pande () gmail com>
Date: Mon, 24 Jan 2005 11:16:14 -0500
I agree that user education is important. I would be interested in seeing if younger users - ages 20 and below - who basically grew up with the internet are less gullible to phishing scams. Any pointers to such research or anyone willing to take this matter up will be appreciated. If someone wants to take this up, I am also willing to help them out. On another note- this reminds me of something one of my professors used to say- People who surf the internet should have to give a test before they ever get on, just like the drivers test. Rishi On Wed, 19 Jan 2005 11:14:09 -0600, Scott, Richard <Richard.Scott () bestbuy com> wrote:
Without getting in a technical debate - I don't think any technical solutions exists for the social problem that we have. That is, it does not matter what solutions are in place, if users are willing to give out personal information without thinking of the context they are giving it then there isn't much hope. For example, for the phishing attempts I have seen, web sites are used to trick the user that an order has been cancelled or some sort of process is on hold. To release the order for delivery, or to correct information, the user is asked to enter in information. Now, why would a web site that sells goods and services ask for my Bank account PIN? Why would I enter in my SSN to a site that does not need it, or to a site I have never visited? Why would I give out my mother's maiden name? There are two problems I see that need to be corrected: (1) Users give out too much personal information without good justification. Users should be educated in giving out information. (2) Corporations need to stop residing on certain data elements for authentication. Why on earth do financial and health institutions ask for the last 4 digits of an SSN - when the last for digits is more ready available than the full number. The logic just doesn't make sense. The three simple concepts, education, awareness and better use of data will do more to prevent phishing than an expensive security mechanism. Obviously, there may be some phishing scams that involve, for example, bank web sites etc. But if banks went on record to state they would never solicit information using that medium, we simple just communicate that to the population. <End Rant> Cheers, Richard
Current thread:
- RE: (not really a) Proposal to anti-phishing Evans, Arian (Jan 19)
- <Possible follow-ups>
- RE: (not really a) Proposal to anti-phishing Scott, Richard (Jan 23)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Wall, Kevin (Jan 24)
- RE: (not really a) Proposal to anti-phishing Mike Andrews (Jan 24)
- Re: (not really a) Proposal to anti-phishing Rishi Pande (Jan 24)
- RE: (not really a) Proposal to anti-phishing Scovetta, Michael V (Jan 24)