December 01, 2004

2004 - The Year of the Phish

Last year, 2003, was a depressing year. We watched the phishing thing loom and rise, and for the most part, security experts fudged, denied, shuffled and ignored while the phish was reeled in. Now, 2004 can truly be said to be the Year of the Phish.

There is progress. Firefox have added two small but nice additions to their browser to address phishing. If you download Firefox (and if you haven't yet, you are now classified as too insecure to be permitted to browse) you can see these when you go to your banking site. On the bottom right, there is a little box containing the domain that is seen by the browser. Also, notice how the URL bar changes colour.

Get used to these things, as they are about the only things protecting you from phishing.

More is needed, however, much much more. Whilst I am somewhat ecstatic that Mozilla programmers have started on this journey, the amount done so far is dwarfed by what would be required to fully address phishing in the browser, and no other manufacturer of browsers seems to have even woken up yet.

(Just briefly, the Certificate Authority needs to be shown. Further, the cert needs to "tracked" by the browser, and a relationship built up. I've suggested a usage count - 100 times to this site, you must like it! Amir and Ahmad have suggested that the user sign off on the cert and even coded it up as Trustbar, while Tyler has suggested the use of petnames for the user's idea of what each site is. They all have their purposes and benefits, and a solution that used all of these and more would be very powerful against phishing. Oh, and all this needs to be "in the face" and not discretely hidden down in some forgotten corner.)

Most of this was known in 2003, by one means or another. But even though we have now to all intents and purposes had a full year of devastating losses due to phishing (more money lost than was ever spent on SSL certs) we still can't say with any degree of confidence that people understand that the browser is being attacked and the browser is where the defences should be placed.

Addendum 2004-12-23: John Leyden wrote this 2004 security review for The Register which echoes a similar message.
Also, In 2005, Organized Crime Will Back Phishers we can take as an echo, given that we already saw it in 2004!

Addendum 2005-09-03; new paper on The Economy of Phishing.

Posted by iang at December 1, 2004 08:32 AM | TrackBack

I don't see phishing as a major issue in the long term. People just have to learn not to click on links they get in email. How hard is that? Not hard at all. Soon people will learn this and phishing will be much less of an issue.

Posted by: Cypherpunk at December 3, 2004 01:19 AM

Phishing has gone way way way beyond the "don't click on that link" level.

Posted by: Iang at December 3, 2004 06:22 AM