There still remains the issue that you can provide a good visual
approximation to any peace of software just by using JavaScript and
HTML.  I fear that too many users would fall for that. 8-(

We think that the trusted credenatials and logo area will provide some protection against this as well,
since you get very clear indication of running an insecure site (see screen shots)... of course I agree with you that we should validate this intuition with user studies (and I'm trying to arrange these).

In considering such solutions, it is important to distinguish threat
models.  Phishing is so harmful because it succeeds without even breaking
in to users' computers.

But is it so harmful? How much money is lost in a typical phishing
attack against a large US bank, or PayPal?

The Gartner study I've cited in my paper (off my homepage), and some other publications I've seen, claim very high actual damages.
Best regards,

Amir Herzberg
Associate Professor, Computer Science Dept., Bar Ilan University (information and lectures in cryptography & security)
fn:Amir  Herzberg
org:Bar Ilan University;Computer Science
adr:;;;Ramat Gan ;;52900;Israel
email;internet:[EMAIL PROTECTED]
title:Associate Professor

Reply via email to