Study: Anti-phishing software doesn't provide reliable protection

Anti-phishing toolbars for web browsers are intended to detect and warn about forged websites set up by cybercrooks trolling for access data to banking applications and the like. Yet, the central findings of a study by the students of the Ruhr University of Bochum (RUB) under the guidance of the a-I3 (Working Group for Identity Protection on the Internet) show that only a few of the tools being offered, actually protect against the advertised dangers.

Among other points, the students found that some programs are not only ineffective at detecting phishing sites, but could actually represent a threat in and of themselves: they could potentially be misused as phishing tools and used to spy on sensitive data, like PINs or TANs, without the user knowing it.

23 programs were examined overall, each of them current and available for free on the internet. Their goal was determining just how reliably the programs could detect dangerous pages. 16 current phishing sites were used as test objects, with five authentic financial websites used as a control group. The results: on average the programs recognised only 31 percent of the phishing sites. Even the real bank websites were only identified as such, 69 percent of the time.

"Much more critical, however, are the advanced functions that we found there", says Prof. Dr. Jörg Schwenk from the Professorship for Network and Data Security (NDS) at the RUB. He served as advisor for the students. Several toolbars logged the user's surfing behaviour in ways usually associated with spyware. In some cases the software uses encryption to communicate with its remote server, meaning that users can't even verify which information is being sent.

"Several programs make for terrific tools for phishing," explains Sebastian Gajek, a technician at NDS. "To put a name to these variants, we call them Twofold Phishing." What the users thinks is a trustworthy software tool to protect against dangerous websites may in fact be spying on his sensitive data. Suspicious minds may wonder if there isn't a more devious reason: "It's conceivable that an anti-phishing toolbar will be programmed by phishers themselves to gain unnoticed access to data like PINs and TANs," Gajek says.

A couple of weeks ago, a study by the CyLab at Carnegie Mellon University, "Phinding Phish: An Evaluation of Anti-Phishing Toolbars" also concluded that anti-phishing browser toolbars are generally not up to the task.

Blind faith in technical solutions violates one of the prime rules of IT security: caution on the part of the user and security-minded behaviour trump technical aids every time.

(trk)