There are many anti-phishing plugins available for browsers. Are they really all the protection we need?
Dhanjani: The anti-phishing plugins are extremely useful and I sincerely appreciate their efforts. However, it is extremely important to realize that the anti-phishing plugins are a band-aid to underlying problems that must be addressed if we want to come close to solving the phishing problem. We need to do a better job with respect to user awareness, but we must to be careful not to expect too much from the average user. We cannot expect the average user to be able to analyze a URL to ensure it is legitimate. Instead we need to come up with browser UI standards that allow the users to clearly and easily distinguish high assurance domains and websites. Most importantly, we need to realize the actual problem at hand: the reliance on static identifiers to establish and maintain identities and execute financial transactions. I will expand on this in the following question.
I'd also like to add that phishers are likely to abuse the blacklists published for these plugins for their own benefit. The blacklists are a list of known phishing sites that the plugins consume in order to identify what websites are fraudulent. These blacklists therefore contain IP addresses and host names of servers hosting phishing sites. Since phishing sites are commonly installed on servers that have been compromised, and phishers don't bother to patch systems they have installed their kits on, this list translates to a 'list of easily compromisable hosts' for other phishers. This situation can lead to multiple phishers obtaining access to the same host after the first one has broken in. However, I think the benefits of anti-phishing plugins outweigh this negative side-effect.
What is, currently, the magnitude of the phishing threat? What can we expect during this year?
Dhanjani: I think the phishing problem is going to continue to grow, and continue to cost us billions of dollars this year and even more so every year moving forward. We can expect the phishers to continue to use similar techniques for a while to come. But what do we do to solve this problem? Well, we can apply as many temporary band-aid solutions we want, such as host intrusion prevention systems, browser plugins, and we can perform penetration tests on our servers and applications all we want, but these solutions alone are not enough to even come close to solving the actual problem. We are not going to win the arms race with the phishers unless we admit to the underlying problem at hand: the reliance on static identifiers to establish identities and execute financial transactions. Let me expand on this a bit. We take care not to blurt out our SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases as we progress in our lives. We take care not to expose our Credit Card numbers, but we must hand them over to people we don’t know at retail stores if we want to use it. We aren’t going to solve the problem of online PII (Personally Identifiable Information) and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.