This blog is a random collection of information, partly in support of my quotations web site. Other topics include wine, military news, economics, history, libertarianism, and other random things which happen to strike my fancy. Backup site is at http://quotulatiousness.blogspot.com/ (if there are no posts showing, hit the backup blog for explanation). Comments have been turned off, as the spam was getting too much to handle. Comments can be emailed to me for posting.

June 07, 2006

Reg: Why phishing works

The Register has an eye-opening summary of why those low-life, mouth-dragging, knuckle-breathing phishers keep doing it . . . it works:

Think that cues in the browser will help? Forget it.

When Firefox 1.0 came out, I thought it was a major benefit that the background color of the address bar changed to gold when you were on a site using HTTPS. "How cool!" I remember saying to a friend, "In addition to the gold lock, the entire address bar is gold too. That'll make it even more obvious to people that they're on a secure site!" And that was in addition to the other three indicators that Firefox provides. How utterly naive of me.

In the study by Dhamija et al, 23 per cent of the users don't even look at cues provided by the web browser, such as the address or status bars. Many have no idea what the padlock icon means; in fact, one participant confidently asserted that the padlock indicates that the website can't set cookies.

Instead of browser cues, these people look at the web page itself. Does it "look" and "feel" right? Are there VeriSign logos on the page? How about animations? Does it seem authoritative? In some cases, the padlock icon on the web page itself was enough to convince some that the site was safe, more so than if the padlock was in the browser's chrome.

There's more. Read it, and shudder.

Still, I did learn how to set my favicon for the blog, so it wasn't a completely terrible experience . . .

Posted by Nicholas at June 7, 2006 01:29 PM
Comments


Visitors since 17 August, 2004