Here's a Vexing Question

30 November -0001

There have been many studies on why phishing attacks are such a problem. In one often cited Gartner study it was reported that 3% of users will give away personal or financial information to phishers. This means that at any given time some 3% of your user base will respond to phishing attacks, no matter how obvious.

I have seen this in action several times. Despite numerous warnings to users and prominent alerts online and in print publications that admins will never request passwords, we detect users sending their login credentials to phishers. The emails come in bearing misspellings and horribly grammar and supposedly smart people (we're talking Ivy League educated here) will send off their username and password.

Given this situation what can the security community do? Obviously single factor authentication is failing. If the user can be tricked into providing login credentials, authentication must be altered so that it includes something that a user cannot easily give to an attacker. Requiring some sort of physical device helps this situation tremendously. Given the global nature of the internet users are exposed to attackers from across the globe. If authentication requires something physical then the geographic scope of vulnerability shrinks to that physical device.

Software tokens are another solution. If authentication requires a program running locally on a users machine then only that machine can successfully authenticate. This creates problems for mobile users, but perhaps restricting authentication from cyber cafes around the world is a good thing. Software tokens can be installed on kiosks and in public access terminals within an organization as well, so that legitimate users could access resources from within the physical location of an organization.

I'm not sure a really good solution has been devised. Both hardware and software tokens greatly increase support costs and complicate infrastructure. They limit users and cause headaches for an organization. However, looping security personnel in a never ending loop of account lockout and phishing response detection is a clear waste of resources. At some point the security paradigm has to shift to nullify this sort of attack. Until it does we won't see the end of phishing e-mails.

Further reading:
Why Phishing Works (http://people.seas.harvard.edu/~rachna/papers/why_phishing_works.pdf)
Social Phishing (http://www.indiana.edu/~phishing/social-network-experiment/phishing-preprint.pdf)