Flimsy filters won’t cut phishing lines

According to a test commissioned by Mozilla and carried out by SmartWare, Firefox 2.0 blocks around 80 percent of known phishing URLs and Internet Explorer 7 blocks around 65 percent as long as users enable automatic web site checking.

Phishing sites are normally promoted by unsolicited emails that try to trick users into entering their authentication details into a mock-up of a legitimate bank or auction site. I’m sceptical of the value of Mozilla’s test because there is no mention of that critical factor, the age of the phishing site. Typical phishing sites have a very short life, and are presumably most effective in the first few hours as the emails arrive and hapless users follow the links.

Shortly after the release of Explorer 7 and Firefox 2.0, I carried out my own test on the next phishing email I received. Although it was an obvious fraud, both browsers gave the phishing site a clean bill of health. I reported the site, and it took Firefox three hours to blacklist it and Explorer 22 hours. Firefox comes out on top, but even three hours is long enough for thousands of users to enter their details.

There is also a danger of false reassurance. “This is not a reported phishing web site,” said Explorer’s dialog when I asked it to check, even though I myself had reported it 12 hours earlier. Yet Digital Resolve, which supplies data for Microsoft’s phishing filter, stated in September that its technology offered users real-time, positive assurance that they were at a valid web site. Such declarations mean little. If my experience is typical, then the phishing filters in both browsers are nearly worthless.

The inherent problem is that the filters rely mainly on a blacklist for their effectiveness. This fails for the same reason that signature checking fails to eliminate virus infections. Blacklist-based security tells the user, “It’s OK unless I say it is not.” Whitelist-based protection, on the other hand, says, “It’s not OK unless I say it is,” which is vastly more effective. But whitelists are prone to false positives: legitimate sites that are branded as bad. Whitelisted sites can also be hijacked by fraudsters. The site I found was one such example. The phishing page had been inserted into another site without the owner’s knowledge.

I would like to see users offered a three-tier ranking: green for a web site with a valid SSL certificate, amber for an unknown site, and red for a known phishing or malware site.

The failure of anti-phishing filters highlights the silliness of relying on username/password combinations to protect financial information. The real advance in Explorer 7 is not its phishing filter but its InfoCard integration, which offers a route to strong authentication. And as phishing is a by-product of spam anyway, if we fix the spam email problem, the phishers will have no line.