More Banks Set To Establish Their Own Stock... >>
<< A Detailed Look At How Prince Embraces New...
 tdicon 

Studies

by Mike Masnick

Mon, Jul 23rd 2007 8:34am


Filed Under:
phishing, research, scams

Companies:
indiana university


Latest Phishing Scam... Actually University Research

from the gotta-trick-you-to-understand dept

Lots of people are trying to research phishing scams in order to better understand them and come up with better ways to protect against them, but some folks are apparently a bit upset at research coming out of Indiana University that involved actually phishing a variety of people to con important information out of them in order to understand what kind of phishing scams work. The researchers and the university are defending the practice, saying they learned a lot from it, and it's legal to be deceptive for the purpose of research so long as the deception is no different than what a person might come across normally and the risk to the person is minimal. Still, if any of the information is eventually misused or gets leaked, it certainly could create some problems for the university (and universities are no stranger to leaking data). The university still claims that this kind of research is key to preventing phishing... but oddly, the article seems to highlight what works for phishing scams, rather than what works to stop phishing scams. So, right now, the research seems to be telling scammers how to be more effective scammers, rather than coming up with ways to stop phishing.
10 Comments | Leave a Comment
Get a free 1-year subscription to the Techdirt Crystal Ball when you sign up for VPN service from Private Internet Access.

If you liked this post, you may also be interested in...

Reader Comments (rss)

(Flattened / Threaded)

  • identicon
    Team Tutorials, Jul 23rd, 2007 @ 9:06am

    Phishing scams work because people are stupid. No study needed.

    reply to this | link to this | view in chronology ]

  • identicon
    Aaron, Jul 23rd, 2007 @ 9:31am

    But honestly officer, I was simply researching the effects of heroine for my study!

    reply to this | link to this | view in chronology ]

  • identicon
    Steven, Jul 23rd, 2007 @ 11:12am

    In order to stop phishing...

    don't you have to know how it works?

    I understand the privacy implications here, but how is a research supposed to come up with ways to reduce phishing without knowing what how/why it works (including stupid people)?

    It seems to me that knowing what was most effective would at least be good fodder for an education campaign.

    This is like saying a security firm shouldn't be finding exploits in computer systems because that is just helping hackers.

    reply to this | link to this | view in chronology ]

  • identicon
    Just Me, Jul 23rd, 2007 @ 11:30am

    Phishing

    1. You need to understand phishing to stop it. However, be carefully waht information you collect, as I'm sure the college will 'misplace' it publicly.
    2. Stupid People will never go away. Can we say why UAC in Vista can be good. Or how can people really believe that they had a rich relative who died in Nigeria?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, Jul 23rd, 2007 @ 12:27pm

    Well I can understand...


    but oddly, the article seems to highlight what works for phishing scams, rather than what works to stop phishing scams. So, right now, the research seems to be telling scammers how to be more effective scammers, rather than coming up with ways to stop phishing.


    They could be using the idea of exsposing the way the phishers operate. That way if the "secret" to phishing for info is no longer secret and everyone knows about it then people will hopefully wise up a bit. Kinda like someone telling how the magician made the elephant disappear.

    reply to this | link to this | view in chronology ]

  • identicon
    anonymous coward, Jul 23rd, 2007 @ 1:21pm

    if taking money from morons is a crime, why is Steve Jobs still walking our streets as a free man?

    phishing isn't a victimless crime, its just that the victims are so f'ing stupid, it is really a challenge to work up any sympathy.

    i have more sympathy for drunk guys that get rolled by hookers...

    reply to this | link to this | view in chronology ]

  • identicon
    Markus Jakobsson, Jul 23rd, 2007 @ 4:35pm

    why to perform phishing experiments

    At first, many people may not see the benefits of phishing experiments, and may see it as a way to plainly confirm what is already known ("people fall for phishing attacks".) That is not what is done in phishing experiments, though.

    First of all, in a well designed experiment, no credential is even harvested by the researcher. Instead, he or she instead verifies that that right credentials were input -- using the legitimate verification service. An example of how this is done, in the context of phishing eBay users, is available in

    http://www.informatics.indiana.edu/markus/papers/ethical_phishing-jakobsson_ratkiewicz_06.pdf

    This, and other experiments, are described from the ethical point of view in

    http://www.indiana.edu/~phishing/papers/finn-conducting.pdf

    Why are experiments useful, then? I think a good way to explain the needs for experiments is:

    1. To improve phishing countermeasures, knowing what works and what does not.
    2. To predict trends, knowing what the yet not exploited human vulnerabilities are.
    3. To improve security education. An example effort is www.securitycartoon.com -- this is directly influenced by phishing experiments.

    Cheers,
    Markus

    reply to this | link to this | view in chronology ]

  • identicon
    rebecca, Jul 23rd, 2007 @ 6:08pm

    research on phishing

    it works because we sit around researching it rather than doing anything to stop it. We allow it and they know it.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
More Banks Set To Establish Their Own Stock... >>
<< A Detailed Look At How Prince Embraces New...
 tdicon 
Follow Techdirt
New Gear From Techdirt

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Friday

15:54 Judge Says No Way To Attorneys General Looking To Block IANA Transition (3)
14:28 Government Agencies Apparently Not Interested In Following Congressional Directives On Overclassification (3)
12:55 Border Patrol Agent Caught Watching Porn On The Job Blames The Internet Filter For Not Stopping Him (11)
11:38 Facebook Video Metrics Crossed The Line From Merely Dubious To Just Plain Wrong (3)
10:37 CIA Took Three Years To Reject FOIA Request For Criteria For Rejecting FOIA Requests (10)
10:30 Daily Deal: The Ultimate Software Testing Bundle (0)
09:39 Intel Community To Institute Actual Whistleblower Award For 'Speaking Truth To Power' (31)
08:33 U.S. Court Of Appeals Upholds Ruling That New Hampshire's Silly Ballot Selfie Ban Violated The First Amendment (25)
06:30 A Massive Cable Industry Disinformation Effort Just Crushed The FCC's Plan For Cable Box Competition (34)
03:23 Ridiculously Stupid: 4 State Attorneys General File Totally Bogus Lawsuit Against Internet Transition (109)
More arrow
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.