On 10/2/2019 3:27 PM, Peter Gutmann wrote:
Ronald Crane via dev-security-policy <[email protected]>
writes:
"Virtually impossible"? "Anyone"? Really? Those are big claims that need real
data.
How many references to research papers would you like? Would a dozen do, or
do you want two dozen?
One well-done paper would do.
I'm pretty sure I haven't been phished yet.
How would you know?
Since most phishing appears to be financial, I would expect unauthorized
withdrawals from financial accounts, unauthorized credit card charges,
unordered packages showing up, dunning notices from the IRS because I
filed my tax returns with a phisher, etc. I haven't observed these
indicia of getting phished.
And how does this help the other 7.53 billion people who
will be targets for phishers?
Alas it doesn't. We do need better phishing prevention. Do you have a
suggestion?
In any case, have we ever really tried to teach users to use the correct
domain?
Yes, we've tried that. And that. And that too. And the other thing. Yes,
that too.
None of them work.
Please cite the best study you know about on this topic (BTW, I am *not*
snidely implying that there isn't one).
-R
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
