I remember doing a quiz on phishing some time ago. After much digging,
here's a link to the quiz (version 2)
http://survey.mailfrontier.com/survey/quiztest.html
Sorry, it doesn't give any results of the survey - perhaps someone could
email the company and ask about the results, especially which ones people
didn't get.
Cheers,
Mike.
-----Original Message-----
From: Rishi Pande [mailto:rishi.pande@gmail.com]
Sent: Monday, January 24, 2005 11:16 AM
To: Scott, Richard
Cc: webappsec@securityfocus.com
Subject: Re: (not really a) Proposal to anti-phishing
I agree that user education is important. I would be interested in
seeing if younger users - ages 20 and below - who basically grew up
with the internet are less gullible to phishing scams. Any pointers
to such research or anyone willing to take this matter up will be
appreciated. If someone wants to take this up, I am also willing to
help them out.
On another note- this reminds me of something one of my professors
used to say- People who surf the internet should have to give a test
before they ever get on, just like the drivers test.
Rishi
On Wed, 19 Jan 2005 11:14:09 -0600, Scott, Richard
<Richard.Scott@bestbuy.com> wrote:
Without getting in a technical debate - I don't think any technical
solutions exists for the social problem that we have. That is, it does
not matter what solutions are in place, if users are willing to give out
personal information without thinking of the context they are giving it
then there isn't much hope.
For example, for the phishing attempts I have seen, web sites are used
to trick the user that an order has been cancelled or some sort of
process is on hold. To release the order for delivery, or to correct
information, the user is asked to enter in information.
Now, why would a web site that sells goods and services ask for my Bank
account PIN? Why would I enter in my SSN to a site that does not need
it, or to a site I have never visited? Why would I give out my mother's
maiden name?
There are two problems I see that need to be corrected:
(1) Users give out too much personal information without good
justification. Users should be educated in giving out information.
(2) Corporations need to stop residing on certain data elements for
authentication. Why on earth do financial and health institutions ask
for the last 4 digits of an SSN - when the last for digits is more ready
available than the full number. The logic just doesn't make sense.
The three simple concepts, education, awareness and better use of data
will do more to prevent phishing than an expensive security mechanism.
Obviously, there may be some phishing scams that involve, for example,
bank web sites etc. But if banks went on record to state they would
never solicit information using that medium, we simple just communicate
that to the population.
<End Rant>
Cheers,
Richard
