Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

PayPal and Anti-Phishing Recommendations

Earlier this week there was fairly widespread reporting over a claimed incident where a Mac user was advised against using Safari when connecting to PayPal. It was claimed that since Safari (and many other browsers on OS X) does not alert users that they are visiting sites that may be phishing sites and does not support Extended Validation, then it should not be used to log into PayPal.

The inherent problems associated with browser-based anti-phishing mechanisms has been covered before here on this site, and the advice that was reported to have been given encourages ignorance of the very real problems that happen when users place too much trust in these systems. The biggest problem associated with these systems is that they rely upon a list of known phishing sites. This is something which isn't as useful as it first seems, for several reasons. The speed with which a phishing campaign can be launched and shut down, or set up to use an otherwise-legitimate URL, or serve only one or two phishing attempts to each user can rapidly render the anti-phishing database full of outdated an inaccurate data that isn't really going to benefit the end user. Privacy advocates are also wary about the browser making queries back to a centralised server for each and every web page being loaded, even if it is only hashed data being sent back.

Even when the anti-phishing databases work, it is claimed that users still need to be trained to look at and trust the mechanisms that are reporting whether a site has been assessed as safe by the various anti-phishing mechanisms, so their overall impact is lower than is ideal (though any improvement is a good thing, see how long it took for users to get used to the idea of looking for the lock icon when visiting a secure site).

It has been pointed out that browsers such as Safari and Camino, while they don't have the anti-phishing address bar colorisation built in do use the system Keychain to store authentication details for sites and this will provide an instant visual clue to users that something is wrong, when their details have not been pre-filled on a site that is claiming to be PayPal, eBay, their bank, or some other site where they use authentication.

With browser vulnerabilities being found across a large number of the available browsers, the old argument of using a more secure browser to visit sensitive sites is losing strength, though users should still strive to make sure they use the most up to date and secure browser that they can. Internet Explorer's heavy ties to ActiveX will always place it at a disadvantage when compared to other browsers, but these browsers also have their own unique critical flaws and weaknesses which are targeted to lesser degrees than Internet Explorer vulnerabilities.

As it is only based on single source reporting, the initial complaint and recommendation to avoid Safari should be taken with a grain of salt. What should be taken away from the example is the difficulties that remain when it comes to accurately identifying and avoiding phishing attacks and how poor the current 'best of breed' solutions are for protecting end users and accurately identifying phishing attacks.

In the interests of open reporting, it should be noted that S?nnet Beskerming have developed authentication and validation systems that are able to withstand the current standard of phishing and fraud attempts, and then some. For more information, contact S?nnet Beskerming.

6 March 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.