Why Phishing Works

30 April, 2009 § Leave a comment

I just read a paper written in 2006 about why phishing works. Some of the notable comments in it come from participants in the usability study that was done:

From users who looked at security indicators in website content only:

“I never look at the numbers and letters up there [in the address bar]. I’m not sure what they are supposed to say.”

From users who looked at content and domain name only:

Many did not know what an IP address was, they referred to one as a “redirector address”, a “router number”, “ISP number”, “those number thingies in front of the name.”

From users who looked at all of the above and also for HTTPS in the address:
  • One never noticed the padlock in the browser chrome.
  • One stated that favicons in address bars indicate authenticity better than a padlock because they “cannot be copied.”
From users who looked for a padlock icon:

Some participants gave more credence to padlock icons that appeared within the content of the page as opposed to the browser chrome.

Other notes from the reading:

One user mentioned that she verifies the authenticity of a website by trying to log in to the website and seeing if it will work. She said, What’s the harm? Passwords are not dangerous to give out, like financial information.

One of the last tests had the users look at a phishing site that was a direct copy of a real site. The site included an animated graphic of a bear and produced the following responses:

  • The “cute” design was a convincing factor of a legitimate website.
  • Two participants specifically mentioned the bear graphic, “because that would take a lot of effort to copy”.

Many found the animation appealing and reloaded the page multiple times just to see the animation again.

And the last, but not least. When encountering a website with an invalid SSL certificate, the users accepted it and had these quotes:

“I accepted the use of cookies”, “It asked me if I wanted to save my password on forms”, “It was a message from the website about spyware”

Interesting quotes. I’m not sure how to deal with solving this problem. One solution could be to understand what users assume to be secure and simply design towards that.

Tagged: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

What’s this?

You are currently reading Why Phishing Works at JAWS.


%d bloggers like this: