back to article Mac users urged to ditch Safari

Surfers should steer clear of Safari until it introduces better anti-phishing protection, a US consumer rights magazine has advised. Consumer Reports lists "thinking your Mac shields you from all risks" as one of the seven biggest online blunders that expose surfers to risk online. It advises Apple fans to consider using …

COMMENTS

This topic is closed for new posts.
  1. greenmantle
    Paris Hilton

    Hang on...

    "Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should," Consumer Reports said.

    ... Does that mean that anti-phishing gizmos are perfectly useless as whether people have them or not they still get had just as much?

    Paris, coz she likes phishing too...

  2. Anonymous Coward
    Paris Hilton

    hmm

    surely anti-phishing toolbars are like baby-proofing your house and then hiring the local paedo to babysit.

    If most attacks are carried out through complete dickheads clicking on rogue links in their email and invitng attack then that's where the problem lies.

    Don't get me wrong I'm not an Apple appologist but protecting idiots from their own stupidity is counter-evolutionary.

    Paris because even she wouldn't be dumb enough to update her paypal details from an email link.

  3. Tony Carter-Inman

    Mac users less likely to fall for a phishing site?

    This survey states that the risk of a user falling victim to phishing is the same whether they're on a Mac & PC.

    If this is the case, then how does the survey reconcile with the fact that most Mac users are using Safari (no phishing filters) and most PC users are using Firefox (with phishing filters)?

  4. Grant Mitchell
    Alert

    Another interpretation

    "Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should," Consumer Reports said.

    So, Wintards, who have a plethora of these toolbars are just as likely to be scammed as Mactards who, by default don't (same rate of scamming).

    So are they saying these toolbars do feck all?

    I think that soundbite might need some re-wording. :)

  5. Alexis Vallance

    No nagging

    Isn't that one of the plus points of Safari though? No nagging pop-up boxes.

    No anti-phishing toolbars sounds pretty good to me.

    If you're the kind of person who relies on a pop up to tell you that the link you've clicked on in your email might not be your proper banking site, perhaps you shouldn't be on the internet in the first place?

  6. Anonymous Coward
    Jobs Horns

    But really ....

    ... who uses Safari as their browser of choice anyway? I know of one person, but they're a designer so make of that what you will.

    The only reason I keep it around on my work Mac is for website testing - hell, even our Mac-using clients, of which there are a few, don't even use it and they're hardly what you'd call IT-savvy in a lot of cases.

    Anyone who uses Safari for Windows is likely so in need of having their heads examined that phishing scams would be the least of their worries.

  7. Adrian Jackson
    Linux

    Stupid Mac users.

    Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure.

  8. Anonymous Coward
    Anonymous Coward

    Proof that Mac users are generally smarter than Windows users...

    "Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar."

  9. Chris

    @Tony Carter-Inman

    "most PC users are using Firefox"

    Last time I checked, 15% wasn't "most". You'd be thinking of IE there.

  10. Pete Spicer
    Coat

    @ Tony Carter-Inman

    "...most PC users are using Firefox"

    Really? I thought IE still was the dominant browser with ~75% of the market share?

    Since IE is (mostly) Windows-only, I can't see how most PC users use Firefox... most of the sensible ones do, but these are the ones that all other things being equal might not be dumb enough to be phished anyway.

  11. Andy Worth

    Re:No nagging

    I was just about to say, I've never used an anti-phishing toolbar, purely because I trust in my own ability not to be fooled into giving away my details to dodgy sites.

  12. Anonymous Coward
    Unhappy

    Arrogance

    It's good to see techies being arrogant and condescending to users who might not understand the intricacies of DNS, the HTTP protocol, HTML email, and how web browsers work. As in much of life the majority of users don't need to know how something works in order to use it, and so do need help and protection for when those things fail.

    Next time you go for some tax or legal advice I hope the person behind the desk laughs at you for being so stupid as to not understand how HMRC or the Bar Council operate.

  13. Jared Earle
    Happy

    Browser of choice

    "who uses Safari as their browser of choice anyway?"

    Not me, I use OmniWeb. Oh, wait ...

  14. TeeCee Gold badge
    Stop

    Re: Mac users less likely..........

    ".....most PC users are using Firefox (with phishing filters)?"

    That'll be your problem. I think you'll find that *most* (i.e Joe Public) PC users are using IE and a sizable chunk of those are still on IE6 or earlier.

    The Safari security problem can only get worse. The majority of the people I know who are either thinking of moving to Mac or have already done so are taking the plunge because they find Windows too complicated and the Mac "Well, it's easier innit? Says so in the ads.". The lowest-hanging fruit around.

    Hark, is that bleating I hear from the new, enlarged Mac community?

  15. Rhyd
    Coat

    PC != Windows box

    I wish people would stop using PC incorrectly. Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC.

    That said, IE's still the dominant browser on PCs, sadly.

    /Mine's the one with adjacent sibling selector capable browser.

  16. Mattyod

    @ Adrian Jackson

    "Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."

    Really so Linux now comes with a gullible user patch?

  17. Bastiaan van Zwieten
    Dead Vulture

    Internet Helpdesk, how may I help you?

    You think you're a victim of fisting?

    Oh, your bank-account has been emptied, don't you mean phishing?

    OK, are you currently online? Great, please go to your start-page.

    Yes, that's the first website you see when you open your webbrowser.

    //-- STOP!!!!! --//

    Before this gets out of hand, I'll just get to the clue here:

    The number of people who can't even properly read out the URL of the website they are visiting is really massive, there is no protection for that.

    They are the same people who are unable to distinguish between Yes and No when their OS asks them if they really, really, really want to erase their entire harddrive and external storage and who are still waiting for those Nigerian $$$, and, and, and ...

    and ...

    ...

  18. Anonymous Coward
    Anonymous Coward

    Firefox or Opera? Nah

    OmniWeb beats anything else hands down, but it is probably too much to ask to remember the names of more than 3 products.

  19. Jodo Kast
    Go

    It's not arrogance, it's User Ignorance

    And dammit, the users do fight to remain ignorant.

    Everything you need to know is at wikipedia (search for phishing).

  20. Anonymous Coward
    Anonymous Coward

    @Proof that Mac users are generally smarter than Windows users...

    Either that, or they're still trying to work out how to read their emails, or trying to manipulate that stupid little mouse with thier twisted, inbred hands.

  21. Anonymous Coward
    Anonymous Coward

    PC?

    "Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC."

    Nonsense. I have several BSD boxes and they are not PCs, they don't have any means to connect a keyboard nor a mouse and you could not use them for "personal computing" tasks, they are appliances, not PCs.

    Similar situation with various appliances that run Linux.

  22. Anonymous Coward
    Anonymous Coward

    Complacency OS

    "Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."

    Seems to me your brain is powered by Complacency OS though, which is far more insecure than anything else.

  23. Kenny Millar
    Jobs Halo

    Said it all before

    I'm a total Mac head, but I'm not stupid.

    I love my Mac, and my OS X, but I hardly ever use Safari on Mac OS or Windows.

    Firefox is faster and safer as far as I can see.

    Having said all that, Safari is STILL better than anything from Microsoft.

    Plus, if you get sucked into a phising site, you deserve to have all your money stolen from you anyway.

  24. Alexis Vallance

    Maybe

    "It's good to see techies being arrogant and condescending to users who might not understand the intricacies of DNS, the HTTP protocol, HTML email, and how web browsers work"

    You've got a point there to be fair.

    But not everything has to be dumbed down to the lowest common denominator. That's what pushed me away from IE (and eventually Windows) - the constant nannying.

    "Look at me - I've got rid of a pop up for you"

    "Look! Look! I've found a nasty phishing site"

    "Look dad! Windows Defender (registered trade mark) has saved the day!"

    Aargh!

  25. Anonymous Coward
    Anonymous Coward

    displaying a fake URL can only be fraudulent => it should be outlawed

    "if you get sucked into a phising site, you deserve to have all your money stolen from you anyway."

    I would have to disagree with that. Let's presume an old granny who has been given a Mac/PC to stay in contact with grand children. How is granny supposed to suspect that a link that says http://www.mybank.com is actually a link to http://www.yourfriendlyfraudster.cc ?!

    Browsers and mail clients already have the ability built in to recognise that a given string is a URL. How difficult could it be to use the same library call to check that plain text string that accompanies the URL. If that string is a URL, too, and the two URLs do not match, then the data should be rejected altogether. It shouldn't be displayed because there is no legitimate use for presenting one URL as another URL, the only possible use for this is fraud, as simple as that. So why would any software display the fake URL, considering a) it is easy to detect and b) the only possible application is fraud.

    I am not an Apple basher, but I have to agree with the notion that fake URLs should be censored by client apps. I wonder what would happen to a print shop if they allowed their equipment to be used for printing fake passports and driver's licenses. They could try to hide behind their customers all day long, they'd be in the dock alongside.

  26. Anonymous Coward
    Anonymous Coward

    FF, Opera or Omniweb?

    Tried them all, and Opera wins hands down, it does everyting the other do, and tonnes more...

  27. Gordon Pryra
    Jobs Horns

    they are saying

    That the same amount of Mac as Windows users get scammed

    Except there are many many more Windows users

    So a far higher % of Mac users get scammed than Windows user

    As much as I HATE Macs, I do know that the average Mactard has (normally) a higher IQ than the run of the mill Windows fool.

    This actually shows that the anti-phishing tech works well, protecting the brain dead and the moron "next,next,ok,next,ok,opps" crowd.

  28. Anonymous Coward
    Gates Halo

    "most PC users are using Firefox"

    I don't know what's worse, a firefox fanboy or an Apple worshiper who says that Macs don't need anti-phisihing filters unless St. Steve says decrees it (like two-button mice, standard screen resolutions, Pentiums, Unix, etc...).

  29. Geoff Edwards

    Not a PC?

    "Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC."

    I think the the term Personal Computer although it should refer to Apple Macs as well is not used that way. Because the PC is an open design that may be manufactured by any company it is distinct from the Apple Mac that is not an open design. When people talk about the desktop or laptop computer they are referring to machines that probably are running MS Wndows.

    Historically we are using a term that used to be "IBM PC" and this became shortened to PC - the key is the common hardware platform. The Apple Mac is not a PC becomes it doesn't have a common hardware platform as do all other personal computers.

  30. Anonymous Coward
    Joke

    Eh, bunch of whining newbs....

    I do my secure internet transmissions through an RS-232 serial cable that I've cut the end off, and just press the bare wires against my testicles. No phishing scam ever got past my boys!

  31. Patrick O'Reilly
    Linux

    Opera! Opera! Opera!

    Sorry did I say that out loud?

    "Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar."

    And GNU/Linux users rarely fall prey because to install and run GNU/Linux you need more than 64k of brain cells.

  32. Chris

    @displaying a fake URL can only be fraudulent => it should be outlawed

    As far as I know most of them don't attempt to mask the URL in any way. From the many (very poorly written - surely they could just run spelling and grammar checks on them before sending them out??) phishing attempts I get in my email, the link is something like:

    www.hsbc.com.34fg463fdgt567.nz/online_banking

    i.e. the hsbc.com bit is a subdomain to the 34fg463fdgt567.nz bit.

    Sounds easy to spot, but at a glance, cetainly for the end user, they see www.hsbc.com and they're fooled.

    Still with the amount of money that is lost through this each year, I'm sure they could just ban hsbc.com and any other major banks names as a subdomain at a browser level. At least stick up a great big warning.

    Interestingly tho, even though IE's phishing filter doesn't always seems to work very well, Outlook informs me with a big red banner that the email is a phishing attempt. aybe they have some of those kind of checks in there now too...

  33. Cavehomme
    IT Angle

    Mac Off!

    "Paris because even she wouldn't be dumb enough to update her paypal details from an email link."

    Maybe, but she might not be a mac user! Most mac users seem to live in beautiful blissful ignorance of any security isues. That's how life really should be, and you techies should all make it like that for everyone.

    But the trouble is that I reckon most Mac techies are so bloody arrogant and ignorant of anything non-arty that they could not even spot a phishing attack, hence no such feature in Safari, which also is a crap browser anyway.

  34. Anonymous Coward
    Paris Hilton

    @Rhyd PC = Windows Box

    Mac are not (ask Apple) PC. As soon a Apple put in its open source OS with candy interface on a PC it become a useless overprice pill of steaming.....

    As far as the Safari, it was easly pretictable. Apple is not ready for the real world. it as no concept on security and it will take decades before it is even close to be safe to have a mac on the "net", a big part of it is the because the general IQ of a mac user is in the single digit.

    Paris? because she is the perfect exemple of a typical mac user.

  35. blackworx
    Flame

    We need a <rant> icon - the flame don't cut it

    My only experience of Apple software is iTunes and Quicktime, usually temporarily forced upon me by a visitor unable to operate his or her precious iPod without them. Each time I'm confronted with the horror that is Apple's flagship bloatware duo I have to be sick a little bit in my mouth to stop part of me from rotting away inside.

    Over the last dozen years I've watched Quicktime evolve from a mildly irritating, feature-crippled media player to a fully fledged pain in the arse resource hog feature-crippled media player. As for iTunes - seriously WTF? Simple, intuitive, user-friendly: all words that get bandied about, but iTunes is none of these things. WMP is useless crap but iTunes is in a league of its own.

    I'll get back to you if and when I've had Safari forced down my throat and then garrotted in place with a supersoft black cotton rollneck - but I can't say I'm expecting any better.

    Why would anyone willingly use this crud? Oh, that's right most people don't. They're locked into it because they think their iPod won't work without it, or they can't see a pissy little web clip unless they install 20MB of Quickbloat, or they've had Safari shoved up their drainpipe by Apple update... a small step from there to ignoring the default browser for links followed from inside other Apple apps, then let Safari wheedle and obfuscate its way to becoming the system default browser. Poor suckers.

    Makes me sick, grinds my gears, won't somebody please think of the etc.

  36. Pavlovs well trained dog

    Safari Sucketh Piles

    truly, it's bad bad bad. Well, on full-fat OSX anyway. None of the crashing or other unpleasant issues I have with it on my Mac seem to occur on my iPod Touch

    Still, every OS has to have something bad about it.

  37. Rhyd
    Paris Hilton

    Sigh

    @ A/C

    I didn't say that because it runs one of those it MUST be a PC, what I meant is fact that a box runs something other than Windows doesn't mean it's not a PC

    @ Geoff Edwards

    I see your point, but the term was around before the IBM PC. The Apple Mac is a personal computer - intended to be used by one person at a time, unless you're using it as a server, appliance.... Also, "doesn't have a common hardware platform"? Don't think that's been true for a fair while now.

  38. Tom Simnett
    Stop

    @ Adrian Jackson

    "Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."

    I'm a day-to-day linux user myself, and granted, my machine is set up in a fail closed rather than a fail open way, so that ports are a) off by default, and b) turned off if the thing that uses them fails.

    However, I don't agree with the primary premise of yours Adrian, mostly because it's unsubstantiated. Linux and Mac OS X, and even sometimes Windows, can be as secure as each other when configured properly. Therein lies the problem, as for the most part, the default configuration of Linux tends to be the slightly more secure than the other two, though this is by no means definitive (NB: I'm not comparing other OS's here, just the three main ones, and yes I know BSD is by it's nature even more secure). On the other hand, a user clicking on a link in an email, or on a website is not safeguarded by the OS in any way, shape or form. This is the realm of the browser, and ultimately the user to ensure they browse safely. Anti-phishing tech just allows the (usually) non-techie users to make an informed choice, which they'd otherwise not be able to do.

  39. Danny Goodman

    The Phishers Are Coming for Apple IDs

    Not that all iTunes Store customers run Safari (despite Apple's earlier attempt to force feed the browser to Windows users), but a recent phishing campaign to get credit card and Apple ID credentials is aimed squarely at Apple customers. See writeup at spamwars.com/archives/2008/08/itunesapple_id.html.

    Of course, El Reg readers are too smart for the crooks (as commenters would like us to believe), but it's the gazillion non-Reg readers who keep the spam and malware economies alive.

  40. Anonymous Coward
    Anonymous Coward

    Fanbois and *tards

    You have to laugh at the sheer pointlessness of the majority of comments here.

    What's better, the Speccy or the C64?

  41. Anonymous Coward
    Anonymous Coward

    only difference is software now

    "the PC is an open design that may be manufactured by any company it is distinct from the Apple Mac that is not an open design."

    Not any more. Apple is now using motherboards designed by Intel, sold to anybody else who wants them. The only thing that is different now is the firmware, Apple uses Intel's EFI, other vendors still use BIOS.

  42. Richard Porter
    Dead Vulture

    It is a PC

    “The Apple Mac is not a PC becomes it doesn't have a common hardware platform as do all other personal computers”

    I have a Mac with "PC" on the front. OK, it's PowerPC but it's still a personal computer. I also have a RiscPC.

  43. Chris

    @Fanbois and *tards

    "You have to laugh at the sheer pointlessness of the majority of comments here."

    Congratulations on keeping up that 100% pointless comment record.

  44. Richard Porter
    Gates Halo

    The Browser is Irrelevant!

    By the time you launch the browser you've already fallen for the scam. The important thing is ALWAYS to read messages in PLAIN TEXT - even HTML-only ones. Then bogus URLs are obvious because they don't match the text link or they don't show at all so are harmless.

    So the best advice is to use a sensible mail client like Messenger Pro on RISC OS which doesn't open mail in a browser unless you really, really want it to.

  45. Jodo Kast
    Go

    Neither

    The Atari ST ftw

  46. Anonymous Coward
    Anonymous Coward

    @ Chris

    "the link is something like:

    www.hsbc.com.34fg463fdgt567.nz/online_banking

    i.e. the hsbc.com bit is a subdomain to the 34fg463fdgt567.nz bit.

    Sounds easy to spot, but at a glance, cetainly for the end user, they see www.hsbc.com and they're fooled."

    interesting, I didn't know that since I delete all mail purporting to be from a bank without looking at the content because my bank only use postal mail, never email to contact customers.

    "Still with the amount of money that is lost through this each year, I'm sure they could just ban hsbc.com and any other major banks names as a subdomain at a browser level."

    Why not go one step further and let browsers block any URL where .com/.net/.org shows up further left than second last position. I can see no reason why legitimate websites would want to use .com/.net/.org in the middle of a URL, again, the only possible application here is fraud, so block them. And this should be turned ON by default.

  47. Richard Cartledge
    Dead Vulture

    Think different

    The point is - there is no anti twat knacker crap

    I use Safari because i don't want the bloatware that is Firefox.

    I can look after myself in cyberspace, I don't want some dumbed down crap that checks every site I visit for a third parties' approval.

  48. RichyS

    @AC

    Speccy or C64? Are you insane? It's the Beeb Model B...

  49. Mike Moyle
    Boffin

    @ Gordon Pryra

    Re: they are saying

    "That the same amount of Mac as Windows users get scammed

    Except there are many many more Windows users

    So a far higher % of Mac users get scammed than Windows user"

    Actually, they are saying the exact opposite:

    "Mac users fall prey to phishing scams at about the same rate as Windows users..."

    That is, that approximately the same >>percentage<< get taken, not that the same >>number<< do.

  50. Dave Robinson

    You're all idiots, except me

    The level of erudite commentary in this thread beggars belief.

    I've got a Mac... that runs Leopard and XP. I've got a PC... that runs XP and Linux. I've got a Linux box (it could run XP, but no point without a monitor or keyboard). They're all equally good. The browsers are all equally good too. OK, so some render pages better than others, but they all operate with varying degrees of slight wrongness. The question is not really one of "what's better". They all get the job done.

    Going back to the original subject, the Internet is basically a dangerous place. You could use an analogy with cars. Give a learner a Ferrari, and he's likely to crash it quite soon. The fact that it has fantastic levels of grip, and phenomenal brakes, is not going to stop them ploughing off the road at the first available opportunity. You can give some PC users anti-virus, anti-spam, anti-phishing, anti-spyware, but it's not going to stop them ploughing off the road at the first sign of a tempting 419.

    When I surf the Internet (with Safari on Mac by preference, but I'm not particularly partisan), I drive slowly, look well ahead, and keep my equipment regularly serviced.

  51. Mike Flugennock
    Jobs Halo

    Y'mean...people are actually _using_ Safari?

    When I first got my G4 home and fired up OSX, the first thing I did was install Mozilla, Firefox -- and a copy of IE for those knuckle-dragging old sites that still demand it -- and trashed Safari after discovering it wouldn't import any of my bookmark lists. That was enough for me; that was weak as shit, so into the Trash went Safari.

    I gave Opera a shot, but it was way too slow on my system, and had a bad habit of blowing up in my face.

    MacOS user since 1985, first and only computers I've ever owned, and I _like_ it that way.

  52. Sean Baggaley

    The Internet...

    ... was never designed for the use it's seeing today. It was designed and built by nerds *for* nerds. The Ignorant, IT-illiterate general public were NEVER meant to use it.

    Why is Phishing even *possible*? This is a UI issue, not a user issue. Any interface that can be so abused should be taken out and shot.

    Why is spam possible? This is, again, a UI issue, not a user issue. Quit blaming people who have WAY better things to do with their time than read $90, 1000-page books on securing servers. Some of us actually want to *work*, not just fix the damned tool.

    Seriously, how about all you f*cktards and willy-wavers shut the hell up and get on with FIXING THE BLOODY PROBLEM, rather than pointing fingers at anyone who hasn't spent as many decades studying IT as you have?

    The Internet -- not Safari, not IE, not any other sodding browser -- is the PROBLEM, not the solution. It needs to be made usable by people who have no idea what an IP Address is because they shouldn't HAVE to know.

    Most people have no bloody clue what a frame flyback is, or what protocol is used to transmit digital TV. Because they don't NEED to know. It just works. Why the hell can't the internet be like this?

    FYI: I use Safari. I've also used every version of IE, back when I used Windows. I have NEVER, in over 20 years, had a virus, a piece of malware, or any other problems. Why? Because I've been in this industry for 25 f*cking years. I am NOT representative of Joe Public and I know it. Strange how few others seem to have that level of awareness.

    Grow the f*ck up and start producing decent, quality products that (a) don't crash -- yes, it IS possible, though you'll probably want to stop using 30-year-old tools and paradigms first -- and (b), don't require a 300-page manual.

    People are getting tired of shitware. I'm one of them. Enough already. How about all you so-called "experts" stop arsing around inventing Web 3.0 and spend a little time on getting us to Internet 2.0 first? Foundations first. House second. That's how it's done in the building trade. Learn.

    (Harrumph!)

  53. Francois
    Black Helicopters

    what is safer?

    Use my brain to choose which sites to trust or let Google and Microsoft know of every site I'm visiting? 'Cause that's what you do with phishing filters, regardless of what your cookies settings are or how powerful your adblocker is, isn't it?

  54. blackworx

    Speccy +3 ftw!

    I love the way there's always a commenter saying: "oh man it's so easy I just do x and y obvious things then easy-to-avoid z is never a problem for me because I have da clevurz". I would've thought the majority of the readership here know perfectly well how to avoid the pratfalls of the issue at hand.

  55. Jon

    Smarter than the rest?

    I'm really not stupid enough to fall for it... and I definitely don't need the "ARE YOU SURE". YES IM SURE OR I WOULDNT HAVE CLICKED IT.

    To quote blackhawk down,

    "This is my safety Sir." ::points finger::

  56. Anonymous Coward
    Anonymous Coward

    An engaged brain is the best anti-phishing tool

    While I agree that anti-phishing features in a browser are nice, the Carnegie Mellon computer ppl have shown that all the anti-phishing tools have failure rates. <http://lorrie.cranor.org/pubs/ndss-phish-tools-final.pdf>. So anyone dumb enough to rely on an anti-phishing tool as their only means of protection needs more than a new browser. Safari has other safety features which ignorant ppl can benefit from - for example, it warns when one is downloading an application, so it's harder for a perpetrator to disguise something that can execute code as something that shouldn't. Rather than ditch Safari, it'd make more sense for ppl who don't engage their brains to switch their DNS server to OpenDNS (obviously desirable for other reasons these days), which would afford some anti-phishing protection.

  57. Rick Damiani

    Not a security issue

    Phishing scams are not really a security issue that can be fixed with better software engineering. Genetic engineering, maybe, but not software.

    In any event, anti-phishing 'toolbars' can cause more problems than they prevent because the presence of them fools the gullible (who are most at risk for such scams) into thinking that 'if the browser says it's OK, then it's OK'.

  58. greg

    who cares about phishing anyway ?

    Not me.

    For a start, I got no credit card.

    For a second, the day I get a credit card, it's never going to be used on the internet, no matter what site : not on my bank's site, not on EasyJet's site, not on any e-auction site, etc

    This way, who want to empty my account need to steal my debit card, my pin code (it's not written anywhere in my world), then he can steal 1000$ a day, 3 days in a row if I don't notice it, then that's all he can ever get.

    Or, he needs to steal my identity's card too, manage to look like me and sign like me. Won't work well.

    Seriously, anyone in their right mind would never trust the internet for any payment : we lived pretty well without it for long enough to keep living better without, that's my philosophy.

  59. drunkenmojo

    Re: Think different

    "I use Safari because i don't want the bloatware that is Firefox."

    Bloatware? On Windows Firefox 3.0.1 weighs in at 7.2MB (all MBs stated in CS 2^20 bytes grammar) while Safari 3.1.2 is a 18.6MB download. On MacOS X 10.4, Firefox is at 17.2MB while Safari is at 39.0MB. Even after installation, Safari still takes up more disk space. Speed wise, the two run neck-and-neck on default config--enabling piplining significantly improves FF3 performance while systems with limited memory resources suffer significantly running Safari with extended usage.

    Don't think differently just for the sake of thinking differently... that can only lead to madness.

    "Download Safari

    The world's best browser. Now [as insecure as ever]."

    - Safari download site

    "Security

    Apple engineers designed Safari to be [in]secure from day one."

    - Point 12 from Why you'll love Safari

  60. Franklin

    @Sean Baggaley

    "Seriously, how about all you f*cktards and willy-wavers shut the hell up and get on with FIXING THE BLOODY PROBLEM, rather than pointing fingers at anyone who hasn't spent as many decades studying IT as you have?"

    Because the problem is ignorance and gullibility, not technology. Ignorance and gullibility don't have technical solutions.

    Any "anti-phishing" technology is only as good as the current list of known malicious sites or the current URl scheme being used right now. That is to say, at best it's a stopgap and at worst it creates a false sense of security. The real problem is that people are gullible and naive, and believe without question anything they read in email no matter how outlandish it may be.

    And no software patch can fix that.

  61. Anonymous Coward
    Anonymous Coward

    Who Cares?

    "Seriously, anyone in their right mind would never trust the internet for any payment : we lived pretty well without it for long enough to keep living better without, that's my philosophy."

    What time capsule from the past did you ride out of?

  62. Bert Chadick

    Safari is sooo pretty

    Ok. Safari has a hole. Phishing requires a bit of credulity on the part of those phished, and Apple will fix it. Don't get your panties in a bunch. I've never used Opera, but Firefox is slow and ugly. It reeks of second rate Windows interface. Ick.

  63. David Barr

    We're hardly the people in question

    I think it's only fair to point out that anybody reading this is extremely unlikely to be the victim of fishing (who the fuck called it phishing, is it those asshats that call stuff e-Account. i-Crap and cyberwossit).

    As someone pointed out above it's when the URL "looks like" a banks URL to the casual unsavvy observer.

    Sadly we're going to all to get those little card reading gizmos that essentially mean for a short time the fraudsters will be unable to operate... until they develop their software to login to a bank account and then pass the request for the code back to the user. At that point I can't see the gizmos being much use.

    So if browsers get advanced and have a bar that says "THIS IS YOUR BANK" then it'll be trojans that will be relied on... hosts file = THIS IS YOUR BANK.

    The only way I can think of that would be mainly effective is requiring people to make a telephone call, type in a PIN code and then when a number is read out use that to log in. Sadly though fraudsters will then just try to propogate false numbers. But I suspect BT would be quicker to act on those numbers than the "Internet Police" - which don't really exist (and please Labour don't try to make them).

    There's very low incidence of fraudsters sending fake letters to people at the moment, I guess because it's easier to just get dumb people to type in their details. But when doing it by the internet doesn't work, you can bet that the fraudsters will start sending out headed letters saying to call this number to verify themselves or whatever.

    Ultimately though there's no way to absolutely prevent it - other than educating every single person that uses the internet on how to spot a fake URL, and how to ensure their system isn't compromised. And even then there's the frequent security holes and the potential to alter hosts files.

  64. Sam Radford
    Jobs Halo

    What's Safari

    I don't use Safari. I just click on the little compass in the stripe at the bottom of my screen and I can Google. Oh, I have three messages in my Mail. Excuse me; The HSBC, Barclays and Natwest have all lost my account details and if I don't enter my password within ten seconds my best friend will die. Yeah, right! [delete] [delete] [delete]

  65. blackworx
    Paris Hilton

    @ Bert

    You may find this hard to believe but there are a significant number of people who often find Apple's holdy-handy shiny UI attempts counterintuitive and second rate. Of course it's true that for many it's because they're so used to what you term Windows' icky interface, but for others it's simply because Apple's holdy-handy shiny UI attempts often actually are counterintuitive and second rate. Oh sure, you could argue they never look or feel "icky", unlike some of the atrocious attempts out there in Windows-land, but if that's your only measure of an interface's effectiveness then you're the perfect Apple customer.

    Paris' interface is never icky. Or always icky. Depends on your perspective I suppose.

  66. heystoopid
    Paris Hilton

    So

    So when is CrApple going to be sued for false and misleading advertising due to all these weak security underpinings within it's much touted supposedly superior OSX , thus becomes the new question of the month ?

  67. Adrian Jackson

    @Tom Simnett

    /etc/init.d/irony-detector restart

  68. Anonymous Coward
    Anonymous Coward

    to the arrogant assholes

    To all these people claiming "protecting idiots from their own stupidity is counter-evolutionary" and "if you get caught by a phishing attack you deserve it". If you weren't so stupid and aggressive you'd know that phishing weakens the internet for everyone. It's infecting computers that are sending you spam or doing a denial-of-service attack on your website or the website you like to visit. It's making your bank lose money so they have to raise bank fees. It's meaning you have to go through ever more complex security checks before you can do anything on real websites. It's even making people too scared to use the internet, so if you run a business that depends on the internet it's affecting your livelihood. Unless you're a hacker or spammer or work in computer security, phishing is bad for you.

  69. Chris

    @ AC - "@ Chris"

    "interesting, I didn't know that since I delete all mail purporting to be from a bank without looking at the content because my bank only use postal mail, never email to contact customers."

    Yeah, I've not heard of a bank that would ever email, or phone, or even ask for you to write any of these details down and post them back. Even if they did have to ask you to change your password, they wouldn't post a link in the email, just tell you to go to the site yourself. As someone else mentioned thought, this can be countered with using a trojan to put a link in the hosts file to a phishing site. The hosts file worries me a bit sometimes. I think IE (or any other browser that uses it) should have a warning icon somewhere if the current page has been redirected through it. Silent redirections are probably not the best idea, right up there with "Hide extensions for known file types".

    "Why not go one step further and let browsers block any URL where .com/.net/.org shows up further left than second last position. I can see no reason why legitimate websites would want to use .com/.net/.org in the middle of a URL, again, the only possible application here is fraud, so block them. And this should be turned ON by default."

    That sounds like a good idea really. As you say, the only point of doing this is to confuse or defraud.

  70. Tony
    Dead Vulture

    Email spoofing & .net in URLs

    How would the propsed comparison work in HTML emails where there is text as the anchor?

    How would the URL blocking work with URLs like:

    http://bl114w.blu114.mail.live.com/mail/TodayLight.aspx?wa=wsignin1.0&n=654193389

    Where infrastructure requirements necessitate having addition delimiters in the address?

  71. Anonymous Coward
    Anonymous Coward

    @ David Barr

    "But when doing it by the internet doesn't work, you can bet that the fraudsters will start sending out headed letters saying to call this number to verify themselves or whatever."

    But that would be mail fraud which is an extremely severe crime in most countries, and the police are far less inclined to give up on solving the case. It's far less risky to commit internet fraud.

  72. blackworx

    @ Tony

    You don't need to work backwards. Parse the URL from the beginning to the TLD. If .com etc appear before the penultimate separator, you've got a bogey. Anything after the TLD is irrelevant to such a check.

  73. Anonymous Coward
    Anonymous Coward

    @ Tony

    "How would the URL blocking work with URLs like:

    http://bl114w.blu114.mail.live.com/mail/TodayLight.aspx?wa=wsignin1.0&n=654193389"

    This is a URL that actually goes to the live.com domain, it doesn't matter what is appended after the top level domain following a slash.

    The URLs which I argued should be blocked are such URLs where there is a .com further left than second last postion of the fully qualified domain name, for example ...

    http://www.hsbc.com.031208712350917.cc/foo/bar/baz?boom

    because the TLD here is .cc but at a casual glance it looks confusingly as if it was hsbc.com because the .com part is further left than last or second last position in the domain.

    Some countries have .com under the country domain, for example Australis has .com.au, for this reason, .com/.net/.org could legitimately show up at second last postion of the fully qualified domain name. However, if these show up any further to the left than that, it is either fraudulent or plain silliness.

    Come to think of it, the whole DNS scheme is upside down for human consumption, at least for the majority of people who read from left to right. Those of us who do read from left to right, we tend to get less attentative as the FQDN progresses from left to right. However, it is the rightmost part of the FQDN which carries most weight. It would have been better to design the DNS system left to right, that is the top level domain would have been better placed at the left, for example ...

    http://uk.co.theregister.www/foo/bar/baz

    This would have made it harder for crooks to make the domain look like something else since we'd spot the important part of the domain name right away, every single time without confusion simply because we read from left to right.

  74. Franklin

    @blackworx

    "You don't need to work backwards. Parse the URL from the beginning to the TLD. If .com etc appear before the penultimate separator, you've got a bogey. Anything after the TLD is irrelevant to such a check."

    Sorry, won't work. A lot of URLs have a ".com" before the TLD, particularly URLs leading to non-US sites. A few examples: www.thepeak.com.hk, yahoo.com.cn, harbourcity.com.hk, hotelopera.com.co, doctors.net.uk, and so on.

    Once again, the problem here is not technology, and no technological fix will cure it. I'm consistently surprised and disappointed by the number of folks who don't seem to realize that there is no software patch to fix human credulity. Internet scammers prey on ignorance of the basic structure of the Internet, and on human gullibility; neither ignorance nor gullibility will ever be fixed by a Web browser.

  75. blackworx

    @Franklin

    "Sorry, won't work. A lot of URLs have a ".com" before the TLD, particularly URLs leading to non-US sites. A few examples: www.thepeak.com.hk, yahoo.com.cn, harbourcity.com.hk, hotelopera.com.co, doctors.net.uk, and so on."

    If you read my comment a little closer, you'll find I took that into account. Plus in fact, all I was saying was that such a check /could/ be made to work regardless of extraneous delimiters /after/ the TLD, which was what Tony was querying, not that it would be a cure for anything. So sorry, but your assertion that it won't work, er, doesn't work.

  76. Anonymous Coward
    Anonymous Coward

    @ Franklin

    "Sorry, won't work. A lot of URLs have a ".com" before the TLD, particularly URLs leading to non-US sites. A few examples: www.thepeak.com.hk, yahoo.com.cn, harbourcity.com.hk, hotelopera.com.co, doctors.net.uk, and so on."

    You seem to suffer from reading comprehension deficit.

    The key phrase was FURTHER LEFT THAN SECOND LAST POSITION. Note, I put that in uppercase not as an expression of shouting, but in order to assist you spotting it this time. You do understand what "further left than" and "second last" means, don't you?! Just in case you don't understand the meaning let me explain it to you ...

    The examples you list would NOT be blocked because the .com/.net part is precisely at second last position in the respective FQDNs, it would have to be FURTHER LEFT than second last position in order to be blocked.

  77. blackworx

    @ Franklin, AC

    An ordinary .com address could, for example, be spoofed as .com.hk and not be captured by such a filter. The thing is: it would be much easier to tackle that particular kind of spoof since, instead of simply creating subdomains to imitate the TLD, our fraudster would actually have to register the complete fake domain.

    Since creating subdomains is much easier, I'll assume it's much more prolific; so whilst the filter wouldn't necessarily trap *ALL* TLD spoofing, it would certainly catch the majority.

    But the whole thing smacks of kludging the barn door after the horse has bolted. If the domain name system wasn't so illogical and US-centric, spoofing it wouldn't be nearly so easy.

  78. Anonymous Coward
    Anonymous Coward

    @ Franklin

    "An ordinary .com address could, for example, be spoofed as .com.hk and not be captured by such a filter."

    that wouldn't work with HSBC though because HSBC is actually headquartered in HK and they already own the hsbc.com.hk domain ;-)

This topic is closed for new posts.

Other stories you might like