Training to fail
Posted by aogWednesday, 20 April 2005 at 15:44 TrackBack Ping URL

I am beginning to understand how phishing attacks work. I used to wonder how anyone could be fooled but now I know better.

She Who Is Perfect In All Ways has been experimenting with PayPal as part of her work for her computer security class. Somehow I got roped in to helping as an experimental subject. What I’ve learned from the experience is that PayPal trains its customers to fall for phishing attacks, despite the clear warning on the bottom of the e-mail to not do so.

How does that work? By making it far more convenient to do the things that phishing attacks depend on. For instance, if I get sent some money, then I get an e-mail telling me this. In the e-mail is a link that take me directly to the payment page via an easily spoofed login page. The page doesn’t even display the account’s e-mail address so it’s very easy to spoof. Depending on the browser (e.g., Opera) you can only access the link by logging in from the page for that link — being logged in to PayPal in another tab doesn’t have any effect. Even for browsers where being logged in on another tab bypasses the login page for the link in the e-mail (e.g., Firefox) you still need to login separately to be secure.

Of course, at the bottom of the e-mail is the instruction to always go to the PayPal website by typing in the base URL. But most people will click through as soon as they see the link. A warning in the text before the link might be helpful. As it is, the link provided by PayPal is in direct violation of PayPal policy, as stated at the bottom of the e-mail. The text there basically says “Don’t click on the links we put in the e-mail”. OK… So why, exactly are the links there if it’s wrong to click on them?

The bottom line is that despite PayPal’s disclaimer, it operates in a way that rewards the same behaviour that makes phishing work — training people to just click on the link in an e-mail to go directly to a PayPal page. On top of that, it provides an easily spoofed page as part of the process. Surely they could do a little better than that.