The Anti-Phishing Gimmick

The boffins have spoken, and they’ve spoken right: Don’t use anti phishing toolbars, or at least don’t rely on them. (Anti phishing toolbars sit in your browser and supposedly warn you if you’ve been directed to a website that’s about to plunder your bank account, or at least steal your passwords.) I’ve been saying the same thing for a year or so, but I’m not a boffin, so it’s better to listen to them.

According to VNUnet a team from Carnegie Mellon compared 10 anti-phishing toolbars and missed up to more than half of the phishing sites. D’oh.

“Overall we found that the anti-phishing toolbars that were examined in this study left a lot to be desired,” wrote the researchers.

This is not the first test of such toolbars. One by 3Sharp commissioned by Microsoft concluded in September that, er, Microsoft’s antiphishing toolbar in Internet Explorer was best. Mozilla released one concluding that, er, Mozilla’s own Firefox 2.0 browser was better than IE. But all the possible bias aside, the figures are still sobering: Firefox blocked around 80%, IE 66% in the Mozilla study; IE blocked about 83% in the 3Sharp study. That’s still a lot slipping through.

I have no idea why these toolbars are so popular. My more modest tests more than a year ago showed that most of them were poor and I concluded that

unless such tools offer really good protection against the inventiveness of phishers, they merely lull users into a false sense of security. If you want to fight the phishers, you’ve got to be smarter than this.

Yes, it’s pompous of me to quote myself but there you go.

Actually what amazes me from the report (PDF file) is how many toolbars there are out there. They counted 84 on one website alone. Why so much effort? Well, the losses are big from phishing — billions of dollars, according to the researchers. But I can’t help feeling that a lot of the effort here is less altruistic and more about branding, or simply just a way to get a bit of the user’s screen real estate. Nearly every toolbar pictured in the report carries a big logo of the provider of the toolbar — who wouldn’t want their brand plastered over a browser?

But unless the toolbar actually saves the user in 95% or more of cases, these things are useless, and actually counterproductive. I strongly disagree (I love strongly disagreeing, and don’t do it enough) with the notion that “some protection is better than nothing at all”, as argued by the 3Sharp guys. This assumes the user is an idiot, and can’t learn to be suspicious and follow certain basic rules (Don’t click on a link in any email or chat message that doesn’t ring quite true, including one that doesn’t address you by name. Call your bank if you get an email from them that contains a link).

Some things the user just has to wise up to. We don’t provide security officers to accompany each shopper around a pickpocket-prone mall, so just like at the mall, online we have to just get smarter and look out for ourselves. Users should not be fooled into thinking these toolbars are in most cases anything other than a gimmick, however good the intentions of their authors.