This may have been my favorite session. The content and the speaker were great.
There’s a theory that there are fundamentally two modes of
thinking: System 1 and System 2.
System 1: Fast, Instinct, Gullible, Emotional
System 2: Slow Methodical, Skeptical, Rational.
The problem with all methods of preventing phishing
requirement System 2. When I talk about System 1, I call it the "lizard brain" when making security decisions. One of the open questions I still have is how do you create instinct?
The talk focused on phishing for credentials. Attacker create an email with “a hook” – a
call to action (e.g. verify account, verify settings, verify salary). The victim clicks a link and gets sent to the
phishing site. Then with the phishing
site extract the credentials.
Based on the data used, the presenter found that people are
more susceptible (better hit rate on the phishing campaign) when the email
looked very like the site it was spoofing.
Even if the emails from that site, for example, are traditionally only in plain
text.
I believe this resonates some of the research being done at
Duke (by Dan Ariely, I think) that was presented while I was getting my MBA. I’d have to find the research, but I believe
that research could be the blueprint for launching successful phishing campaigns.
From the talk at Duke, the fundamental idea is that humans
prefer process, items, people that are similar to something they know. Even if they don’t like that the
similarity. For example a blended
picture of a random person and an ex-president. The blended picture tested
better than just the picture of the random person.
Another interesting tid bit is that people don’t trust the
password manager. If the password
manager doesn't populate the password because the site is indeed malicious, people
will go ahead and enter in the password.
For now, be careful and trust the password manager.
In the future, U2F (Universal 2-factor authentication) will
be built into Intel chips. From my
independent investigation, U2F has huge promise.
Comments
Post a Comment