Web & communication software

How sound is Consumer Reports’ Safari advice?

Consumer Reports has published its annual State of the Net survey in the September issue of the consumer advocacy magazine. And an article accompanying the review of assorted online threats titled Seven Online Blunders offered this morsel as Blunder No. Five:

According to this year’s State of the Net survey, Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should.

What you can do: Until Apple beefs up Safari, use a browser with phishing protection, such as the latest version of Firefox or Opera. Also try a free anti-phishing toolbar such as McAfee Site Advisor or FirePhish.

That’s some pretty strong advice there, telling Mac users to switch away from Safari, the browser of choice on the Mac platform by a wide margin. (It mirrors similar advice offered by payment processor PayPal earlier this year.) But is it good advice?

In a macro sense, sure it is—it’s always good to use tools that offer the most protection for the user. So if you want to switch to Firefox or Opera, then by all means, go ahead.

But if you want to continue using Safari, I think that’s also a perfectly acceptable alternative—as long as you understand the risks, and take some simple steps to minimize those risks.

All about phishing

Just what are those risks? Phishing is, according to Wikipedia, “the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.” Putting a different name on it, phishing is lying, and typically this lying is done via e-mail or instant messaging. As an example, here’s an actual phishing e-mail I received this morning, though I’ve modified it enough to remove any phishing threats.

Dear Advertiser,

We were unable to process your payment. Your ads will be suspended soon unless we can process your payment. To prevent your ads from being suspended, please update your payment information.

Please sign in to your account at http://adwords.google.com/select/login, and update your payment information. We look forward to providing you with the most effective advertising available. Thank you for advertising with Google AdWords.

Now, this is a grossly oversimplified example, but if you click the above link, you’ll find you wind up on Apple’s website, instead of what the link appears to show, which is Google’s AdWords login page. That’s because a hyperlink can have any text associated with it you like—in this case, I associated the AdWords login page URL with a hyperlink to apple.com.

In the real phishing e-mail, the URL actually pointed to a site named to confuse the user: http://www.adwords.google.com.xxyyzz.cn/select/Login. Notice that although the first part of the URL looks correct, it ends in xxyyzz.cn, instead of google.com.

When looking at a URL, the most important bits are at the far right of the URL—it’s the end of the URL that tells you who owns it, not the beginning. In this case, the domain is “xxyyzz.cn,” and everything to the left of that is a sub-domain on that site. So one key anti-phishing tip is to always read URLs from right to left to determine their ownership. If the right-side of the domain isn’t what you expect it to be, then you’re not on the page you think you’re on!

If you were to load the above phishing page—though I’ve altered the URL to prevent you from doing that—you would find that the details it asks for could include things such as your name, social security number, credit card number and expiration date, and even potentially your bank account and bank routing number.

And this is where you should use the best anti-phishing tool available, one that's accessible to everyone regardless of what browser they use: let common sense be your guide. If you ever wind up on a website page that asks for such highly confidential information without requiring you to first login, do not provide it! Any legitimate site that needs this information will only request it after you have logged in, not before!

So how do you avoid getting sucked in by a phishing scam? According to Consumer Reports, the best way to avoid them is to use a browser with anti-phishing protection built right in. However, this is far from an ideal solution, because the criminal element is large, and it moves very quickly. Given that criminals, too, can run Firefox and Opera, clearly they’ll know as soon as one of their phishing sites is blocked by those browsers’ built-in tools. So what do the criminals do? Quickly create another site, of course, and link to that in their current round of phishing e-mails.

The anti-phishing tools in Firefox and Opera will spot this new page, probably sooner rather than later. Until they do, though, those using Firefox and Opera may be more susceptible to a phishing attack than those using Safari, due to a false sense of security. “Firefox didn’t flag this link, so it must be OK to use.” That’s a very dangerous mindset to have, and I suggest you avoid having such thoughts, even if you are using Firefox or Opera.

How to avoid phishing scams

So what’s the best way to avoid phishing scams? Don’t even take the first step of clicking the link in the e-mail or message you receive. While that may sound difficult, it’s really incredibly easy—and by doing so, you’ll be protected from the vast majority of phishing scams, regardless of which browser you choose to use. Here are my three rules for working with links in e-mails or chat messages:

  1. Only click on links from known, trusted sources—family, good friends, business associates, and so forth. If you get an unsolicited message, don’t click on any of the links in it until you can confirm that they go where they say they go. And how can you do that? In both iChat and Mail, if you simply hover the mouse pointer over a link, the programs will show you the destination URL for the link (click the image for a larger version):

    As you can see in the top example from Mail, the pop-up URL differs from that shown in the e-mail text; in the bottom iChat example, the two URLs agree. If you see a disagreement in these two values, that’s a tip-off that you should pay more attention to the URL. The cause may be benign—as when I link to Mac OS X Hints, for instance—or it may be a sign that a phisher is trying to fool you. Of course, it’s possible the URLs agree, and it’s still a phishing attempt. If the URL isn’t one you recognize, and the source of the message is unknown, then the best course of action is to simply not click on it at all. If you do choose to click on it, though, use rule No. 3 below before providing any information that may be requested on the linked page!

  2. Work with certain websites only directly from those websites. If you get an e-mail purporting to be from the Bank of America, asking you some account questions, the best course of action is to load Bank of America’s site in your browser directly, and then login to your account. Anything that they want you to do will be flagged when you log in; no reputable party that I’m aware of relies solely on e-mail to communicate key required customer actions. So if PayPal, eBay, Amazon, your bank, your brokerage, or any similar entity are e-mailing you to take action, start that action by first logging into their site directly.

    If you do get legitimate e-mails from such institutions, and would like to start by clicking links in such messages in Mail, then I recommend you use Mail’s rules to flag those messages—set up a rule to color them bright yellow, for instance, based on the sender matching the expected sending account, and possibly using some element of the body that’s always there (a signature or tag line) as an additional matching criteria. Then, if you ever do receive a phishing scam against that institution, you’ll be able to tell because the message won’t be bright yellow.

  3. Use your common sense. If you do happen to click a link and wind up a site that you suspect may not be on the up and up, trust your instincts, as they’re probably correct. Look at the type of questions being asked (remembering that you didn’t have to login anywhere to see this page). Look at the grammar and spelling. And really, if you have any doubts at all, close the browser window, open a new one, load the site directly, login, and see if you have any messages asking for action on your part. If all else fails, pick up the phone (remember those?) and call the vendor directly.

Conclusion

Should Safari have anti-phishing features? Sure, it should. Should you stop using it today because it doesn’t? Not at all—as long as you’re willing to exercise “safe clicking” practices. Even if you use an anti-phishing browser, however, these practices are recommended—there’s just no way any one browser can keep up with the scope of malicious activity out there on the web. So regardless of browser choice, you’ll be much safer and happier if you exercise safe browsing techniques.

Subscribe to the Apple @ Work Newsletter

Comments