I just finished reading a user study on phishing. The authors discovered that pretty much ever user in the study did not user the proper techniques to tell the difference between a legitimate site and a phishing site.
Before I dive into how to tell the difference properly, let me explain what a phishing site is. They are sites that are set up to look like a real site, like your bank, and ask you for information (this is what those constant spam emails you get for PayPal and eBay are about). Now most people (correctly) think that phishing site are after personal information like your address, account numbers, etc. But they are also after your username and/or password. If they have that they don't need you to tell them your personal information as they can log into a site on their own as you and get the information themselves.
Now, for the purpose of this discusion I am using as the example browser. You can use similar techniques in other browsers, but Firefox is a good browser and I highly recommend it (especially over Internet Explorer). If you do not use Firefox I suggest you start.
When evaluating whether a web site is legitimate or a phishing site that is just trying to pose as another site, the key point to keep in mind is the only thing you can trust is the web browser itself, not the web page! No matter how professional or complex a web site looks, it can still be a fake. I can run a free, easily available program that makes an exact copy of a web site
and just change it in an invisible way so that all the information you enter goes to me and not to where you want it to go.
For example purposes, the location bar that is shown at the start of this post is a secure connection to GMail.
So, first thing is that you can trust the URL (web address) that shows up in the location bar of the browser. If the web address is not what you expect then do not trust it! A bunch of numbers (called an IP address) should not be trusted unless you truly know what you are doing (and if you don't know how an IP address works then you don't know what you are doing). In the example you can clearly see that "www.google.com" is the web address. It is at the beginning and does not contain any typos.
And watch out for typos! In the user study that inspired this post, people didn't catch the difference between "bankofthewest.com" and "bankofthevvest.com". You could also be tricked between "paypal.com" and "paypa1.com" if the font used does not make an "l" and a "1" look different enough.
The other thing to notice is the yellow background and the padlock in the location bar. Also notice how the address starts with "https". Those three pieces of information mean you have a secure connection between your web browser and Google. Anything you type into the web page will be sent to Google in a secure fashion. If the background of the location bar was white, the padlock was not there, or the "https" was just "http" (notice the missing "s") then you need to be careful to make sure you trust the site! It might be a fake or the site might be poorly designed and be sending sensitive information insecurely Usually Firefox warns you if you are sending stuff insecurely (assuming you didn't click the box once to tell it to stop warning you!) so if it is not secure you might still be sending stuff securely behind the scenes if the page was designed properly. But be careful about relying on that!
And that is all you can trust! That little colourful "G" to the left of the web address? You can't trust that! That is easy to fake as it comes from the web site and is not controlled by the web browser. A padlock within the web page itself? Meaningless. A link to some page that claims to verify the site? Can't be trusted unless you really understand how things on the web work.
And in case you didn't know, never trust links from emails. It is easy to fake where an email comes from (I could easily send an email that looks like it came from a bank). If you get a reminder email to pay your credit card off you should open up a new browser window and type the address in manually! And make sure you spelled it correctly! If you do those two things you pretty much guarantee you won't accidentally end up at a phishing site: type in all important web addresses by hand and type carefully!
Remember, only trust the location bar, not what a web page claims or base your decisions on how it looks!
No comments:
Post a Comment