Technology Not Training Protects Users From Phishing - Forbes

All users fall for phishing attacks. Full stop. It doesn’t matter how smart they are or how much training they’ve received, one day, sooner rather than later, they will succumb to a clever (or not so clever) credential phishing attack, in an instant giving up their usernames and passwords for attackers to use to compromise your systems. Your users could all be Nobel Laureates, and they would still fall for a phishing attack.

Your users could all be Nobel Laureates, and they would still fall for a phishing attack.

Getty

The thing is, understanding—and consistently recognizing—whether a URL is safe to click on is something that nobody can do consistently. Even security experts can’t reliably distinguish correct from fake login pages. All it takes is being a bit overtired or overstressed, and even the best of us can fall victim. 

“Ah!” you say, “all my users’ apps use two-factor authentication [2FA]. That won’t happen to them.” Unfortunately, with many versions of 2FA, attackers can still use stolen credentials—they just need to use them quickly, before that TOTP code or cell phone-based authorization expires. 

Even the experts fall for phishing tricks

Back in my security consulting days, I ran a “phishing exercise” for a client, to help train their team. Just before the test started, we placed a phone call to the security admin to validate that it was indeed okay to start the test and send out our nefarious phishing emails. The call ended, we sent out the emails, and Ping! — we immediately received the credentials of the person we had just been talking to—including his 2FA code. Seconds later a frantic phone call from that same security expert, asking us if maybe we had already started our phishing test? Indeed we had... 

At the time we congratulated ourselves about our clever attack, rather than think about the futility of the effort. The truth is, people fall for this trick over and over again, even experts, even when they know it’s coming. Nonetheless, security experts continue to insist on training users on how to avoid credential phishing attacks. 

Now, don’t get me wrong, training makes perfect sense for some kinds of security problems. For example, you can train developers to use prepared statements rather than string concatenation to avoid SQL injections in their database queries. I’ve trained people on this exact thing, and ensuing security tests showed that the lesson worked and that the problem was resolved. Even better, subsequent annual testing showed that the problems didn’t come back—the security mitigation technique I taught them had been incorporated into their secure coding guidelines. This generated the rare and wonderful feeling of success for a security reviewer. 

But phishing user credentials is not a problem like SQL injection where users can just learn the easy way to avoid it completely; it’s more like detecting water with a divining rod. There is no subset of users that you can target for more intensive training; most of your users aren’t aware of the various valid fields in a URL, much less parsing URIs, or learning about unicode codepoints—nor should they be.

When it comes to credential phishing, the only thing that training users really accomplishes is allowing us to blame the victim. If what you want, however, is not to prove how inadequate users are (and by extension how smart you are), but focus on making users lives easier and safer, there are ways to do that. 

Technology options to prevent phishing attacks

This is how technical credential phishing protections like those defined in the FIDO standards work. U2F, for example, gets the browser to cooperate with the security token, sending the hostname to the device for use in its calculation of the response. Having a response dependent on the authenticating host’s name prevents attacks from lookalike domains (e.g., using ‘0’ instead of ‘O’), while improving privacy.  

Already, there are lots of FIDO-based authentication keys on the market. Google shipped U2F support in Chrome shortly after the first FIDO standard was finalized. Since then support for devices without USB ports has been added through NFC, Mobile and even a clunky BTLE interface. The common denominator for these devices is that users don’t have to type any codes to make them work—they just click a button. The authentication systems use keys based on a binary representation of the identity of the site—so there’s no chance that a user will be tricked by a phony URL that replaces a ‘1’ for an ‘I’. 

We use this kind of phishing-resistant authentication inside Google, where it has worked super well. It’s also been adopted by Github, Facebook, Dropbox, and other popular sites. And the good news is that adding this kind of protection to your internal applications can be quick and easy (you could use Google Identity Aware Proxy for example). The truth is, if you’re serious about preventing credential phishing attacks, stop trying to train your users, and start adopting an authentication technology solution that actually works.

https://ift.tt/31mZqjD