RE: (not really a) Proposal to anti-phishing

["Mike Andrews" <mike () se fit edu>]

> -----Original Message-----
> From: Wall, Kevin [mailto:Kevin.Wall () qwest com]
> Sent: Monday, January 24, 2005 2:29 PM
> To: Mike Andrews; Rishi Pande
> Cc: webappsec () securityfocus com
> Subject: RE: (not really a) Proposal to anti-phishing
>
> Mike Andrews writes...
>
> > I remember doing a quiz on phishing some time ago.  After much
> digging,
> > here's a link to the quiz (version 2)
> >
> > http://survey.mailfrontier.com/survey/quiztest.html
> >
> > Sorry, it doesn't give any results of the survey - perhaps someone
> could
> > email the company and ask about the results, especially which ones
> people
> > didn't get.
>
> Of course, the "quiz" is pretty much useless. There are some obvious
> phishing attempts, but the few that look (are?) legitimate, one can't
> really tell because all they give you is an image, so you can't really
> see what the links are pointing to or do a 'view source', etc.

Yeah, I agree, but I think that what the company was trying to do is see if
people can recognize phishing attempts just by the email content itself (and
the status bar when you hover over a link).  By using an image it forces the
survey takes to use just their eyes and no other technical abilities - a
pretty standard way of normalizing surveys same as choice lists.


> But IMHO, I think that HTML e-mail should be outlawed, period. That
> alone
> might go a long way to eliminating a lot of phishing schemes, especially
> the ones that rely on bugs in the MUA's HTML rendering engine to entice
> the victims.

Here, here.  Would also get rid of all those cutesy/fancy stationary schemes
our secretaries insist on using :)

Cheers,
Mike.