Only an Ungullible You Can Prevent Phishing

As I mentioned in a previous entry, I'm a computer security specialist by day, so I've spent a fair amount of time noodling on ways to help protect people from hackers. In particular, one problem that has become an escalating game of cat-and-mouse between hackers and banks is phishing. Phishing is when an email (or website, or voicemail system) claims to be a trusted source, such as your bank, and asks you to provide sensitive information - only it's not your bank - it's the bad guys - and you just gave them your online banking password. Doh!

Phishing results in thousands of stolen identities daily, and it erodes the trust that customers have in online banking. So banks are constantly adding new security technology to make these attacks more difficult, but phishers are constantly coming up

"Banks will never 100% solve the phishing problem... because it's not a technology problem."

with more clever ways to get around these controls. Will it ever end? Should you wait for your bank to solve this problem before you venture into online banking? I can tell you with absolute certainty that, no, banks will never 100% solve the phishing problem. Never ever! Why? Because it's not a technology problem, so there is no technology solution. Phishing is not a new problem - it's a new spin on an old problem - con games. And "con" is short for confidence, which means that phishers only need to trick people into being confident that they are communicating with their bank, when in fact they aren't. And there are an infinite number of creative, non-technical ways of playing such tricks.

So how can you protect yourself? Should you just give up and avoid the internet? Well to borrow a phrase from the 1970's Smokey the Bear, "Only an Ungullible You can prevent phishing." But how do we learn to be ungullible to phishing? If the phishers are so clever at coming up with new tricks, is there any hope that we can outsmart them? I believe it is possible with just three simple rules, but before I explain, let's start with a simple example of how phishing works.

Please complete the following sample exercise before continuing to Part II of this blog. In a real phishing attack, the phisher might pretend to be your bank and ask you to confirm your identity by providing your full credit card number. In this example, we are only asking for part of a real card number to make the example safe.

Phishing Exercise #1 Name of Issuing Bank: Last 4 digits: --- Card Type: -Visa -MasterCard -Discover -American Express Note: It is safe to use a real credit card in this example because... You are only giving part of your credit card #, not all of it There is no Submit button, so you aren't sending your data anywhere You may provide fake data if you still prefer, although some lessons from the example may not be as clear

After filling in the above example Phishing form, Click Here to continue with the rest of this blog...

Part II - April Fools!
Did you provide real credit card data in the above example? If so, then you just fell for a phishing attack (well, not literally, but it easily could have been real). I could have easily stolen your credit card number, and there is no technology that could have prevented it. Assuming you entered real credit card data in my form, you did so because I gained your confidence by telling you it was safe, and by providing false reasons for that safety:

• I told you the form was safe because you were only providing part of your card number. But this is false because you also gave me the name of the bank that issued your card and the card type, which can be used to determine the beginning numbers of a credit card.
  
  
• I told you the form was safe because there is no Submit button to actually send me the data on the form. But this is also false because a Submit button is not necessary to cause the form to send me your data. I could have just as easily used hidden JavaScript to cause your browser to send the form as soon as you clicked on the link to display the rest of this blog.
  

I assure you that the above form does not send me any data, but if I've made you a little nervous about the truthfulness of that, then good - that was the point - because from now on you will be much more cautious about what data you provide on the web. You will have already become more ungullible to phishing. As for further convincing you that I didn't collect any data from the above form, note that I didn't collect an expiration date or other data usually required to use a credit card. Beyond that, all I can suggest is to have a family member or friend who is knowledgeable in HTML (the language of web pages) review the source code of this blog and it will prove that no data was submitted.

So now you are little more cautious about using the web, or perhaps you already were. Good! But hopefully you aren't so scared that you refuse to do any online banking, or perhaps even refuse to use the internet at all. That wouldn't be very productive.

So how do we find that healthy balance between too gullible and too afraid to use the internet at all? I can give you three simple and easy to remember safeguards that will make you virtually impossible to phish. And you don't even have to remember all three! Each one, on its own, will significantly reduce the chances of you falling victim to phishing attacks. They are listed in order of importance, so if you can only remember one, remember the first one!

Three Simple Rules to Become Ungullible to Phishing Attacks

1. Don't Ever Click the Links
   Don't ever click on links or dial phone numbers that claim to be your bank and which arrived by email or by phone calls! Instead, manually type the address in your browser, or even better, use a bookmark that you saved in your browser. Phishers frequently send spam emails that pretend to be from your bank, and they include a link for you to click to log on to your online banking account, only it's really a link that takes you to the attacker's fake website. Although new technologies are being developed to help you identify these fake links, the phishers are very clever at making the links look real, so don't trust your eyes. Although less common, these emails may also include phone numbers for you to call, only it's a number to a fake call center. If you receive one of these emails and you know it is fake, just delete it. But if you aren't sure if it's real or fake, do not click on the link or call the number provided. Instead, manually type the address of your bank into your browser, or call your bank at the number listed on the back of your ATM card, as listed on their website (that you manually typed), or as listed in the phone book. If the important message you received by email or phone was real, then your bank will have a similar message waiting for you once you login or call them.
   
   
2. Don't Trust Their Identity If They Contacted You First!
   If you get a phone call or email from your bank asking for information about your account, how do you know it's really your bank, and not an impostor? What if they first provide you with some private data about your account? Does that prove it's your bank? Or is it maybe an attacker that has some of your personal data and is phishing for more? The only way to be sure is to hang up, and then call them back at a number you know belongs to your bank - NOT at a number the caller gave you.
   
   
3. Be Extra Skeptical of Unusual Requests For Sensitive Information!
   The example phishing form I used above was probably not a request that you had seen before, so it was an unusual request that you should have been weary of. Most phishing attacks also contain unusual requests. The email may claim that your bank is making changes to your account, and they need you to login and verify things. It may claim that if you don't login soon, your account will be deactivated. Or it might state that they think someone has fraudulently used your account and they need you to immediately login to verify that your account looks OK. Regardless of what the request claims, these requests are probably not something you have ever received before from your bank, which should make you doubly skeptical of them. Additionally, they frequently have a sense of urgency about them, which should make you even more skeptical of them. If your bank really needs to contact you urgently, they will do it by phone so that they can confirm your receipt of the message in a timely manner, not by email which may go unread for weeks.
   

And remember that these three rules apply not just to your online bank. Phishers most frequently target banks, but they may also try to gain access to your ebay account, myspace account, email account, or any other account. But as long as you remember and follow those 3 simple rules, you will be protected from virtually all forms of phishing attacks.

Congratulations!!! You are now an Ungullible internet user! If you are interested in reading more about how to protect yourself against phishing and many other types of internet fraud, Ungullible recommends the following books...

Hacking Yourself to Ungullibility, part 2

If you are wondering where part 1 of this blog is, it's not here, because I didn't write it. This entry is following up on Bruce Schneier's recent blog and Security Matters commentary in the March 2008 edition of Wired magazine, titled "Inside the Twisted Mind of a Security Professional." I'm an information security professional by day, so I'm a big fan of Mr. Schneier. He is the epitome of a critical thinker, and while he often writes about complex computer security issues, he also frequently comments on critical thinking for every day situations and every day people. His latest commentary is a perfect example of this, so I highly encourage you to read it. It's short, and it is essentially "part I" of this blog.

So what does the mind of a security professional have to do with increasing your own ungullibleness? If you read Schneier's commentary first, you already know the answer, but I'll summarize. Thinking like a security professional means not accepting things at face value. It means looking at things from a different angle to see how they might be used mischievously, maliciously, or sometimes just differently. As Schneier concludes, "If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they'll be more sophisticated consumers, more skeptical citizens, less gullible people." In other words, to become ungullible, you have to think how you might take advantage of a gullible person. Then you know what to look out for.

Mr. Schneier notes in his commentary that an undergraduate class in Information Security at the University of Washington is trying to teach it's students how to think this way. It doesn't come naturally to most people, so it takes practice. Students are asked to "hack" every day objects and services (GM's OnStar service, traffic lights, etc), and then blog about their results.

To pick up where Mr. Schneier left off, I'm going to ask you to do the same thing, but with more of a focus on gullibility rather than security. Below are some suggested exercises for hacking yourself to ungullibility. Remember, it doesn't come naturally to most people, so practice is necessary. But hopefully you'll also find it fun. And please post back here in the comments with your results!

Exercise #1 - Hack your TV
TV commercials are a great way to practice critical thinking. I often use them as teaching tools with my own children. Instead of shielding them from commercials, I ask them what parts of the commercial they think was true, what parts were exaggerated, and what parts might even be untrue. I also ask them what tricks the advertiser used to make the product more appealing than it really is, or pressure you to "buy now" (before you have a chance to think critically through your purchase decision.) So how about you? Pick out a favorite commercial on TV and pick it apart. Late night infomercials are too easy - so I advise picking a normal product, maybe even one you actually use, to keep it challenging. If you aren't much of a TV watcher, then a magazine ad may suffice. And don't forget to report back here with your findings!

Exercise #2 - Hack your Email
Dig into your email's 'Sent' folder and find the last email that was mass-forwarded to you that you in turn mass-forwarded to others. These "chain letters" often have emotional or political messages, or are intended to warn you about some new threat. But they often are full of misleading, incorrect, or even made up information. For example, following the devastation of hurricane Katrina, a family member once forwarded me such an email that warned people to be careful about where they bought yard mulch because it might come from the thousands of trees that were knocked down in the storm, and could therefore spread the ecologically devastating formosan termite. It was all false, and only served to spread fear (and possibly drive down much sales). Find a chain letter email that you actually forwarded, and now critically analyze it for potentially false information and tricks that it uses to get you to forward it to others. Give yourself extra credit if you NEVER forward such emails, then find the last one you received and analyze it. Reading snopes.com is a good way to learn how to recognize the true from the false emails, but using it to research your answers for this exercise is cheating.

Exercise #3 - Hacking your mind!
This is probably the most challenging exercise, but arguably the most important in becoming ungullible. As I stated in my "Top 5 Concepts for the Ungullible Mind," we are all guilty of deceiving ourselves on a regular basis. Our mind is wired to make many kinds of logical mistakes, and it's capable of tricking itself. That's why placebos work. We complain that we "always get stuck in the slow lane" because we remember the frustrating times better than we remember the times we sped through the fast lane, not because the former is actually more frequent. We take our neighbor's advice for the latest herbal remedy (it worked for her, and her mom!) over the advice of our doctor. We jump on the slightest mistake made by our most hated politicians, yet we all too easily ignore or justify similar gaffs made by politicians on our own "team." We prefer explanations that support our pre-existing beliefs (e.g. "After death experiences prove there is an afterlife") over more mundane alternative explanations (e.g. "Or maybe it's just the effects of a dying brain under immense stress, similar to the euphoria and visions caused by some drugs"). If you truly want to become ungullible, you must learn to be ungullible of even your own mind. Don't trust it too much. Look for independent verifications. So what was the latest or most significant mistake in logic you made?

Please share your answers with the rest of us in the comments below. I plan to do the same, but I've got to think about them first. That last one is really going to be difficult. ;)

If you are interested in reading some of Bruce Schneier's books on national security in a post-9/11 world, information security in the modern world, and email security for the average internet user,then Ungullible recommends the following (respectively)...