I just took the MailFrontier Phishing IQ Test II, and I didn’t do well. As a web developer, I consider myself very knowledgable in this area, and I’m pretty sure I’ve never been fooled by a phishing email. So why did I do so badly? Simple: I guessed “phishing” for everything.

I never click on any links from email that will lead to me entering account information. All of their sample emails had these links, so I didn’t trust any of them. Why do companies still do this? If you read through the answers after taking the test, all of the legitimate messages say “Be safe – always enter the address in your browser”. This is good advice.

There was one message that was simply “providing information”, and therefore not considered dangerous. But consider such an email.. “Here’s some information about our new online bill payment service” with a link to a site that contains a bunch of information talking about the benefits of online bill payments, showing how easy it is, etc. Also on that site for customer convienence is a “add to my account now” button. If this is in fact a phishing site, that link is going to be a scam to collect your account data. If phishers aren’t doing an attack this “sophisticated” now, they will be soon.

According to internetnews.com, only 4% of test-takers got 100%, with the average score being 75%. At least that’s up from 61% a year ago.

So what is the solution? Well, since e-mail is fundamentally broken there really is no easy technological solution, besides outright replacing the SMTP protocol with something better.

One start would be to simply not include links in e-mail. Companies should generally make sure that anything they send in an email can be done manually by visting their site, and provide instructions on how to do so.

The catch here of course is that users need to be trained to recoginize (for example) their bank’s URLs. If your banking site is bankingsite.com and you get a request to go to bankingsite.com.ni or bankingsite1.com then that needs to set off alarm bells, and I’m not sure most users will recoginize that.

Another solution may be to develop a new specially-trusted high-security certificate authority that has very stringent requirements for granting certificates to companies. I remember the first certificate I got cost about $200 and required my driver’s licence, vendor permit, and some other official company documents (yes, this stuff can be spoofed too, but it is a bit more work). Those days are gone. Now it’s very simple to get a certificate that will be “trusted” in pratically every browser – it costs about $40US, and sends one email as a verification.

If all browsers displayed a site signed with one of these special certificates differently, then this would be a major way to stop phishing. Interestingly, the people working on Firefox, Internet Explorere, Opera and Konqueror are all working together on this. They’d show the address bar in green on one of these sites, and users would need to be trained to not enter any sensitive information on a page without a green address bar.

IE7 beta address bar (from arstechnica article, originally from MSN)

The special ceritficate authority could either be a root CA for current certificate authorities, or just be an organization that would publish a list of trusted root certificates. Either way, the organization would have to audit the people issuing certificates that showed up green to ensure the companies weren’t making things easier to gain an edge on their competition. The entire system is based on the trust of the root CA’s, so if those authorities violate the trust and issue a certificate to an illegitimate phisher that produced some phony documents, the whole system breaks down. So until those smart folks at Mozilla, Microsoft, Opera and KDE save us, antiphishing.org has some useful tips to avoid being scammed.