When security warnings backfire
The involvement of phishing in attacks – earlier in the year – by Syrian activists on the New York Times and Twitter, has prompted me to return to one of my favourite topics: do security warning messages make users more vulnerable to phishing?
Surely, if we bombard users with security warning messages, this will educate them – even if they only read a handful of the messages – right? Or is less really more?
Warnings, forewarnings and cautions
We are all used to it. Start your computer first thing in the morning, and you’ll be warned of potential attacks by your host-based firewall. Next, go online, and your browser will warn you of the potential issues with the website you are visiting, followed promptly by the issues of sending data unencrypted.
It doesn’t stop with security tools though – Java, Office, iTunes, etc… I could go on. Each with their own security warnings, their own updates and their own blaring popup messages to protect us – but do they?
The cynical amongst us would say that the messages serve little purpose other than to pass the responsibility to the end user. That way, when something goes wrong, it is not a failure of the manufacturer, but a failure of the user. Less cynical observers stress that these alerts are merely an added defence, a form of user education – but again, are they?
Should you beware of security messages?
A report from Sophos’ research labs states that “Phishers are able to convince up to 5% of recipients to respond”. This is a useful benchmark; in my published study, 5.19% fell for the phishing attack – almost a perfect match – this indicates my results may be a reliable indicator.
A problem without a cure?
So what should one do about it? No silver bullet exists against phishing.
There are automated tools (for example Microsoft’s IE browser bar, which turns red and puts a gateway page whenever an end user tried to access a page that had been reported as fraudulent).
Automated tools have come a long way, and are definitely part of the solution, but a dedicated scammer could get around these.
A recent response to these tools from the blackhat community relies on JavaScript. By hiding the real “red” URL address bar, and then displaying a fake “green” one at the top of the page, the exploit makes the user think that they are visiting a legitimate website.
In a similar vein – how many of us use the same password on multiple sites, despite being told time and time again not to? Do users really keep separate passwords for each site, and check the URL each time? The high-profile attacks of journalists’ twitter accounts suggests not.
There are controls that can mitigate the risk though legal/legislative action, well-configured software, and – crucially – well-performed user education.
All is not lost. But we are a long way from panacea. It’s evident that technology alone cannot solve this problem and in some cases it has made things worse.
Continual education of users, around where the latest threats are coming from – and how to avoid them, is therefore key to any security department’s role.
