Study blasts failing phishing toolbars

A study of anti-phishing toolbars by researchers at Carnegie Mellon University failed to find a single capable product. 

The Evaluation of Anti-Phishing Toolbars (PDF download) compared 10 anti-phishing toolbars, including Google Toolbar, McAfee Site Advisor and Netcraft, as well as the anti-phishing filter built into Internet Explorer 7.  

McAfee SiteAdvisor does not offer anti-phishing functionality, but the company launched SiteAdvisor Plus earlier this month that offers real-time anti-phishing protection.

The Carnegie Mellon researchers prepared a series of experiments that included identifying recently discovered phishing sites, identifying phishing sites over a period of 24 hours, and differentiating between phishing sites and legitimate sites.

Even the top performers failed to catch nine to 15 percent of the phishing sites visited. SpoofGuard, which correctly identified 91 percent of the phishing sites, also labeled 38 percent of the legitimate sites as phishing operations.

Netscape Browser 8.1, EBay Toolbar and TrustWatch identified fewer than half of the phishing sites.

"Overall we found that the anti-phishing toolbars examined in this study left a lot to be desired," wrote the researchers. "Many of the toolbars we tested were vulnerable to some simple exploits as well."

Aside from reliability, the study found the user interface on several products ineffective. Many of the toolbars used warning dialogues to indicate when a phishing site was found.

Because many users have been desensitised to pop-up ads and dialogue windows in Web browsers, they may simply dismiss the warnings and enter personal information on the phishing site.

"When using an anti-phishing toolbar, poor usability could mean the difference between correctly steering someone away from a phishing site and having them ignore the warnings only to become a victim of identity theft," wrote the researchers.

Copyright ©v3.co.uk

blastsfailingphishingsecuritystudy