School Conducts Anti-Phishing Research

Many companies have taken steps to protect consumers, but none have proven entirely effective _ which is why IU believes it's important to understand phishing "in the wild," as Jakobsson describes it.

Federal laws governing university research allow scientists to use deceptive means if the risk participants face is minimal and no greater than what they would face in daily life.

Kevin McGrath, a 25-year-old doctoral student at Indiana University whose e-mail was secretly hijacked for a university experiment, surfs the internet from his parents home Thursday, July 12, 2007 in Louisville, Ky. (AP Photo/Brian Bohannon) (Brian Bohannon - AP) QUIZ What percent of U.S. tweens own a mobile phone? A. 15 percent B. 25 percent C. 35 percent D. 55 percent • Test Your Knowledge -- More Questions Partnership Resources for anyone who runs a small business or wants to start one, featuring advice and solutions. • Where to Secure Micro'Business Financing • White House Makes Its Case for Health Reform to Small Businesses • Developing Your Company's Logo • Starting a Business • Small Business on the Net • Home-Based Businesses » RESOURCE CENTER Save & Share Article What's This? Digg Google del.icio.us Yahoo! Reddit Facebook

Peter Finn, who serves on the Indiana review board that approves the studies, said the university believes the phishing experiments fall within those guidelines _ even though about 30 students complained about the methods.

"The probability of harm from the study is nowhere near the magnitude of the harm that would result from actual phishing attacks," Finn said.

Jakobsson said researchers take steps to protect information from hackers who might snoop on the studies. The fake Web sites and e-mails used in the phishing attempts are created behind a secure server. No information submitted by test subjects is stored. The experiments, which are not encrypted in order to mirror real conditions, record only that someone gave information _ not what they provided.

Celia B. Fisher, a human research ethicist at Fordham University in New York, said the experiments qualify as "deception research" and are legal, even necessary.

"There is no way to find this information out without deceiving the participants, because as soon as you tell them what you're doing, you won't have any real information," she said.

But Lorrie Cranor, who directs an anti-phishing group at Carnegie Mellon in Pittsburgh, said controlled laboratory studies can be just as useful.

The school has developed an online tool accessible only from its labs called "Anti-Phishing Phil" to lead participants through scenarios based on actual phishing attempts. The experiment hopes to determine which methods work the best at deceiving users.

Cranor's research has found that successful phishing attempts rely on human vulnerabilities such as greed, curiosity, ignorance and fear.

"When you talk to someone, you look in their eyes and say, "Does this look like they're telling the truth?' And we get pretty good at making these judgments," she said. "But most of are not very good at making these judgments online."

Conditioning users to recognize those weaknesses before it's too late is the safest way to combat phishing, she said.

"If we were to collect personal information from people, we have to be very careful," Cranor said. "You don't want to be responsible for holding a list of people's Social Security numbers."

____

On the Net:

The Anti-Phishing Group at Indiana University: http://tinyurl.com/2dru4e