Watered Down Phishing Protection In IPhone OS 3.1?

CrazyCanucklehead writes "Security Researcher Michael Sutton discusses his findings when looking at the advertised anti-phishing features in the recently released iPhone OS 3.1. It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all."

Far Less than OS X

[neonprimetime]

It turns out that the protection is far less than what is provided in OS X and the feature may not provide any protection at all.

the iphone in general contains far less than what is provided in OS X so this doesn't come as a surprise to me.

now, whether or not iphone 3.1 phishing protection is a big oversite on apple's part is another discussion and a worthy one at that

Re:

[Anonymous Coward]

It's spelled oversight [merriam-webster.com].

Re:

[contrapunctus]

but it's about web sites, you see over sites: oversite.

Re:

[david_thornley]

Nonsense? An intensive purpose is one that's clearly focused. Doing something with the aim of getting to a particular movie theater is an intensive purpose. Doing something with the aim of promoting world peace is not. Now, it seems to me that one intensive purpose is unlikely to have much to do with another one, and so there really wouldn't be many things to generalize over them, but other people seem to disagree.

Re:Far Less than OS X

[Hurricane78]

the iphone in general contains far less than what is provided in a real smartphone so this doesn't come as a surprise to me.

There, fixed that for ya!

*ducks*

Re:

[Anonymous Coward]

Yah, cause after all my BlackBerry Curve had anti-phishing... wait no it didn't... and that windows mobile phone work gave me had... wait no it didn't... granted both had such awful browsers I don't think many people even used them. Either way it's really popular to rag on Apple for things not being entirely perfect. Fact is I'm more excited about the loads of other things that came with 3.0 and less worried about perhaps a less than great anti-phishing black list. Besides I think you've gotta be pretty

Re:

[Monkeedude1212]

The difference between Windows Mobile not having phishing filters and the IPhone not having phishing filters is that Windows Mobile never at any point gave you an illusion of protection.

If you haven't been trained on basic internet usage - its VERY easy to fall for phishing attempts. We've been browsing the net for years now, and all it takes is someone who says "You can pay your bills online" for someone to try and google how to do it on their own and then fall into a trap.

I'd say Cross Server Scripting ha

Re:

[MMC Monster]

Also, no one in their right mind uses Windows Mobile to browse the internet. :-)

Seriously, though, given the percentage of iPhone users that actually use Mobile Safari (much higher than any other single mobile device), they really should get phishing protection like a desktop. Wasn't there a /. article a while back about people using iPhones as their only computer?

Re:

[Hurricane78]

What's a BlackBerry? What's a Windows Mobile phone?

No, I know what they are. But why bring out the obscure ones?

Oh, I know, because on my Symbian phone, I can "install and tweak whatever I want"(TM), including anti-phishing stuff. :)
(Hmm, I think that's even possible on those two systems above.)

Re:

[Minion of Eris]

try standby mode instead of lock (it's the little button up on top of the 'phone).

Re:

[indiechild]

Elaborate?

Re:

[InsertWittyNameHere]

To be fair, do any phones offer anti-phishing on the device?

Re:

[Jurily]

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Re:

[Tom]

> To be fair, do any phones offer anti-phishing on the device?
>
> Do users of any other phone need it?

Only the part that constantly brags about how their smartphone of choice has this one important feature that the iPhone doesn't, and therefore it is superior in every way.

Re:

[MobileTatsu-NJG]

To be fair, do any phones offer anti-phishing on the device?

Do users of any other phone need it?

Oh, come on. Web browsing on other phones isn't that bad.

Re:

[david_thornley]

Most phones either don't provide a web browser, or provide one so painful that nobody's going to use it long enough to get phished. With that protection, who needs specific anti-phishing measures?

Re:

[Minion of Eris]

If your BlackBerry Smart phone is connected to a BlackBerry Enterprise Server, and you use the BlackBerry Browser (as opposed to Internet Browser or whichever browser your carrier supplies in their software package), then all off your requests pass through the server, instead of "directly" to the 'net over your carrier - as a result, you share whatever filters/protections IT has put in place on the server. If you are BES connected, then you get whatever spam/phishing protection is enabled in your email cli

Re:

[AnalPerfume]

You're missing the point, it's shiny, and Steve has given it the stamp of cool and he's the only person on the planet officially allowed to do that, so he should know cool when he sees it. That should be enough for you. Or are you a commie? /sarcasm.

Slight catch in that last sentence

[The Ancients]

FTA:

If you work for Apple, please comment on why you went with watered down phishing protection on the iPhone.

If anyone from Apple does comment, we'll not know for sure as they'll not be able to identify themselves sufficiently. As such, everything we do see will just be guesses. Some may make sense and quite probably be right, but who knows...

I've got built-in phishing protection.

[jtownatpunk.net]

It works really well. If I don't know how I got to a site, I don't enter my banking information. Simple. It's amazing how well that works. If I get an email from "my bank" asking me to click on a link to verify something, I don't click on the link. If I think that it has the slightest chance of being legit, I'll open a web browser and type my bank's URL in by hand and log into my account. If the original email was legit, I'll be prompted to do whatever it is they need. If I get an email asking me to reply with my username and password, I know it's a scam. How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Re:

[pak9rabid]

Seconded (only because I don't have mod points at the moment)

Re:I've got built-in phishing protection.

[bFusion]

If you invent anti-stupid technology, I'm sure you'd be a near instant millionaire.

Re:I've got built-in phishing protection.

[sakdoctor]

My Nigerian company, in a Joint venture with a Russian company, actually sells an anti-stupid product.
It really works, and it's available to buy TODAY!

http://shop1337.youscam.ru/darwin/get_smart_stupid [youscam.ru]

Re:

[greyline]

I think so many people tried to visit your site, it went down. Can I just post my information here for your product?

Re:

[sbeckstead]

Please do, we'll contact you when the product ships!

Re:

[amoeba1911]

Sign me up too please! Here's my name, address, birthday, social security number, bank account and routing number, credit card number.



Thanks!

Re:

[davidshewitt]

In Soviet Russia, our anti-stupid product sells YOU!

Re:

[amoeba1911]

The day you invent anti-stupid technology, the stupid will get stupider.

Re:I've got built-in phishing protection.

[stokessd]

It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

The problem is that the API for "people" is really old, and many of the functions appear to be deprecated (see driving a non-syncromesh manual transmission, hunting, fabricating arrow points, etc). It's much easier to foam rubber coat the world, than to try to make "people" smarter (See modern playgrounds for freshly instantiated "people").

Sheldon

Re:

[Nadaka]

Hey... I still drive a manual (though admittedly it is syncromesh), I still hunt, I still fabricate arrow heads. These are largely relegated to hobbies, but some people really do still do these things.

Re:

[Gulthek]

Speaking as a parent of a toddler: modern playgrounds are AWESOME. At a nearby park there is a frikin' 3 story spiral tunnel slide! A ladder that leads to a rock wall about 5' up that kids can climb along then drop down (yes, drop) onto a big flat slide. An obstacle course of monkey bars that go UP from about 6' to 8' then end at a raised platform on a sprawling playset.

All in all, playgrounds seem far more dangerous (and awesome) than the tiny slides and see-saws I played on as a kid. I'm actually pretty j

Re:

[jargon82]

Having kids is really just an excuse to keep playing with their toys, at least for men.

Re:

[KingPin27]

Having kids is really just an excuse to keep playing with their toys, at least for men.

Unless all you have are girls then all you do is spend most of your time with them undressing and re-dressing various assortments of barbies..... Ugh!

Re:

[Gulthek]

Oh also, manual transmission FTW. My wife has actually never owned a car that was anything else.

Re:

[geekboy642]

I wish I could afford an automatic transmission. Sure, there's something to be said for a proper gearshift, but after a decade of stop-and-go driving in the city, I'm ready to not use a clutch anymore.

Re:

[mcgrew]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

Re:

[MobileTatsu-NJG]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

You can make people less ignorant, but there is no way to make them less stupid.

You know, it's funny, chicks look at our fashion sense the same way we look at their understanding of the internet.

Re:

[mcgrew]

I don't know, there are a few women I know that know more about the internet than some slashdotters, and other women who have less fashion sense than me (and I wear pretty much the same kind of clothes I wore decades ago).

To me, fashion=stupid.

Re:

[MobileTatsu-NJG]

To me, fashion=stupid.

Right. So would it be fair for me to say you're not beating the hotties off with a stick?

No offense intended, I didn't mean that as an attack. Frankly, I'm not one to talk. My point is that we, as geeks/nerds think other people are stupid, yet other people think we are stupid.

I have a feeling that example isn't going to go over to well so I'll use another. There are peeps out there that would think *I* am stupid because I don't know how to change the oil in m car. I could retort that I think those peop

Re:

[mcgrew]

Actually, the "out of fashion" thing works for me. Women want the "bad boys" because they have a need to change them, and you don't have to be a true "bad boy" for the effect to work. The first thing a woman does after she gets her hands on me is try and get me to get rid of the sweater.

And I don't think I've ever seduced a woman. I suck at it, but some do come on to me. Unfortunately, some gay men do, too. [slashdot.org]

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil

Re:

[MobileTatsu-NJG]

As to changing the car's oil, that's not stupidity, it's ignorance. You could learn to change the oil in your car, a truly stupid person couldn't.

This is ultimately the point I was trying to make. We agree, man.

Have a good day.

Re:

[sbeckstead]

Seconded!

Re:

[starglider29a]

This problem is self limiting... People who are stupid enough to fall for a phishing scam will have their finances and credit pwned so badly that they won't be able to GET an iPhone.

Though maybe people would be less susceptible if they didn't think that their browser/OS/phone was idiot-proof. Maybe the best phishing protection is to declare that there isn't any phishing protection. Motorcyclist drive more carefully than people in air-bagged cars.

Re:

[goldmaneye]

I disagree that no protection is the best protection. Plenty of people make simple typing errors all the time when they go looking for a website. Bank0fAmerica (it's a zero; could you tell?) looks an awful lot like BankOfAmerica. As phishing attacks get more and more sophisticated, eliminating any kind of protection makes less and less sense; even smart people can get taken in by an expertly-executed phishing attack that uses a URL that very closely mimics the correct URL and a website that looks nearly ide

Re:

[johndiii]

I agree with your point about no protection not being the best protection, but I don't think that the statistics that you cite demonstrate the point that you are trying to make. The notion that motorcycle crashes in general have a greater incidence of fatality means that behavior that causes crashes will correlate better with motorcycle fatalities than with passenger vehicle fatalities.

A more meaningful number would be something like the number of crashes per vehicle mile. Or perhaps the number of injury-

Re:

[starglider29a]

In a fatal collision...

Ah, but what about the collisions that never happened? That's the point. A rider without the protection of a cage will driver gingerly and NOT GET into a fatal collision. Whereas, a driver who knows that their airbag will deploy will drive less carefully than a car without airbags.

But, says Steven Peterson, professor of economics at Virginia Commonwealth University, "An airbag allows me to drive more aggressively but not face any more risk [reason.com]." In fact, drivers of airbag-equipped cars get into and cause more accidents, negating the safety benefits for drivers and increasing the risk to others.

And here's a stat you won't find... Bikers with NO helmet, NO leather will drive VERY carefully. NOT relying on airbag or even traffic laws to protect them.

The person surfing the web should be babysitting their OWN stuff becau

Re:I've got built-in phishing protection.

[Tom]

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

Rational analysis tells me that's the wrong approach. Inventing a 100% reliable anti-phishing technology is considerably easier than making people less stupid.

Re:

[Anonymous Coward]

You think making people less stupid is easier??

Please excuse me while I clean up the drink I just snarfed all over my laptop!

Re:

[Tweenk]

we should make people less stupid.

Unfortunately that is a physical impossibility, so your plan fails.
Moreover the wide access to technology depends on it being accessible to stupid people - otherwise they wouldn't buy them and the technology companies would fold. There is just no solution to this problem: idiots will always get their computers hacked, fall for scams, get their credit cards stolen etc. no matter how secure we make them. The only way to cope with this is to minimize the effects they can have on other people.

Re:I've got built-in phishing protection.

[cadeon]

we should make people less stupid.

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) demographic

approach to fighting phishing. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Phishers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(X) It is defenseless against brute force attacks
(X) It will stop phishing for two weeks and then we'll be stuck with it
(X) Users don't want to be educated
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from phishers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for information
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of phishing
( ) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
(X) Accessibility
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
( ) Sending email should be free
(X) Why should we have to trust you and your information?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(X) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
(X) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:

[intheshelter]

I've got no mod points right now, but I have to say your reply was kind of dumb. I think you might fall under the stupid demographic for actually dissecting his tongue in cheek idea.

Re:

[Anonymous Coward]

You Can't Fix Stupid - Ron White

Re:

[jellomizer]

Until you make a type and misspell your banks website domain name. (or are you stupid enough to have a nice bookmark wide open for anyone to click on to see who you bank with) then you go to a site that look just like your bank. Heck it may even have a valid security certificate, and you just got fished.

So you know how you got onto you site. However you a simple mistake... To bad you didn't have a Phishing protection to tell you that you went somewhere wrong.

It is not that people are stupid. But they let

Re:

[0110011001110101]

hahah silly man. I have 9 different banks bookmarked in my browser to fool people who break into my house, log into my computer and scan my favorites to see where I bank. There are like "beyotch why steal your tv when i can find out where you bank boooyyyy!". But then they see my 9 bookmarks, and they are like.. oh f#*$ this guy is smart, but still they start clicking. At some point they will click on my wachovia link (most robbers bank with wachovia) and decide they need to check their account balance.

Re:

[mehrotra.akash]

I dont think that the iPhone is targeted to people who actually know how to protect themselves, many of them would be using blackberries/nokia E/WinMo series or other business focused handsets as their primary phone and the iPhone as a secondary media device.

"Instead of putting all this effort into anti-phishing technology, we should make people less stupid."
then only those who want a media player would want iPhones

Note: all my comments are based on the original unjailbroken iPhone, have not encountered a n

Re:

[Dishevel]

How could anyone NOT know that's a scam? It's not frickin' rocket science.

Instead of putting all this effort into anti-phishing technology, we should make people less stupid.

As a rule in advanced societies people get more stupid and less able.

I RTFA

[mcgrew]

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

Re:

[Webcommando]

That's troubling. Phishing protection that doesn't work is more dangerous than no protection at all. At least if you know you have no protection you'll be more careful.

I know where people are coming from on this but it is a first pass at a new capability. Should they used the same mechanism as Safari on OSX (i.e. Google database)? Maybe, but perhaps there is a reason why that wasn't appropriate.* Perhaps there was a specific challenge they hadn't resolved for 3.1

I think it is encouraging that they made an attempt and expect to see some improvements as the engineering team gets real world feedback on the feature. Regardless, I don't think I normally go to sites on my

Re:

[Bill, Shooter of Bul]

Phishing sites come into existence so fast, that I really wonder how much use any phishing filter is. But any protection is better than none, though I'd recommend not trumpeting it too loudly for the exact same reason you gave.

Re:

[jtownatpunk.net]

If people were smart enough to "be more careful", they wouldn't need phishing protection in the first place. :)

Doesn't matter anyway

[ironicsky]

It doesn't matter how many bells and whistles, security and user protection systems you put on a device. A dumb user is still a dumb user. Look at your typical computer user. Even though they are using the latest A/V software, their ISP scans for email viruses and spam, they are using Firefox which has anti-phishing protection, a firewall program or a router with SPI, and malware protection software they still manage to blow their computer out of the water on a regular basis requiring tech support to fix it

You bought an iPhone...

[f0rk]

... you're already fished.

Latency

[topham]

Latency is the likely reason to not go with the Google lookup method.

Besides, don't know about you, but I'd prefer that not all my browser habits be logged to the government.

Re:

[AnalPerfume]

I wasn't aware Google = Government, with a few exceptions like China. Any closed source application can be tracking you and you'd never know. Chances are Apple are doing the same in all sorts of ways, for the same reasons Google do....targeted advertising. They want to know more about you so they can put an advert up which is more likely to appeal to your wallet opening tendencies.

At least with Google you don't need to use Google apps to access the services, you can use open or closed source third party app

Re:

[mehrotra.akash]

actually, google would make a great government and in reality might just get big enough to start buying small countries at first and then slowly expand and become the world government

just imagine, if i wanted to go from point A to B anywhere in the world, i could easily look it up on google as, google being the world government would have all the information necessary, and no passports/restrictions/different currency conversions,etc would be required

even better, they might just be able to plan your life, ju

Re:

[dhaines]

You are not stuck with Apple's browser on the iPhone. A casual search turned up 15 web browser apps before I stopped counting.

I'd provide links, but someone might be tracking.

But...but...

[dreamchaser]

But it's Apple! I thought everything from Apple was considered magically delicious here. Now I'm confused :(

Let me Blow your mind.

[k_187]

Anything from Apple is considered magically delicious and explicitly loathed here.

Re:

[Monkeedude1212]

No, you're thinking of ONE product from GENERAL MILLS.

Snap judgements

[93 Escort Wagon]

Given that the iPhone OS 3.1 was just released yesterday, I've got to wonder just how thoroughly this blogger investigated anything.

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

Sigh... I'll be so happy when blogs die their already-overdue natural death.

Re:Snap judgements

[Monkeedude1212]

He went to the popular testing site Phishtank and tried the phone out against a bunch of different phishing attempts. He says not one was blocked.

Re:

[amicusNYCL]

Note that doesn't mean I think the features in question are good or bad - but really, I'm not going to put much stock into anything anyone wrote up after at most a few minutes of use.

His central point was that he couldn't find a single site that was flagged as a phishing site. He even bolded that for you. If you can disprove that, go ahead and post a comment to his blog, he doesn't have any comments yet of people offering sites that do actually get flagged.

Re:

[johndiii]

He's not just a "security researcher" - he's an official blogger for Zscaler, a "cloud security" vendor. Essentially, they seem to provide security-checking proxies. My take is that he would have a vested interest in portraying the iPhone (or any platform not protected by Zscaler) as insecure.

The PhishTank list has 2279 entries. I'd be interested to know how many he tried, and which ones.

He didn't do his research.

[nneonneo]

I followed the same steps as outlined in TFA: download the verified online [phishtank.com] phishing list, pick a few URLs and load each into MobileSafari.

The very first one on the list, citibanking.ru, was blocked by both Firefox and MobileSafari. Since it was at the top, I thought that perhaps it was too recent (reported Sept 10, 2009), so I went down the list a bit, and got colorear.org/ray/, also blocked on Firefox and MobileSafari (reported Aug 26, 2009). guildoftibia.w.interia.pl was also blocked on both (reported July 28, 2009). I also found a few that were blocked on neither, but none that were blocked only on one and not the other, suggesting that MobileSafari uses Google's list (further reinforced by the fact that the "about" link takes you to a help page on Google [google.com].

So, I call sloppy research on the part of this security researcher (who writes "In fact, I have yet to identify a single phishing page blocked on the iPhone", emphasis his), since I was quite easily able to find several pages which were blocked.

Re:

[nneonneo]

For those of you who are curious and have never seen the phishing warning, here it is [imageshack.us] (two images were combined to show the full height of the message).

Re:

[teshuvah]

I have a 32GB iPhone 3GS phone, and I just put http://citibanking.ru/ [citibanking.ru] into MobileSafari and the webpage loaded. I did not get the phishing warning or anything. Something is very inconsistent here if it works for some and not for others.

Re:

[nneonneo]

Is it running iPhone OS 3.1, and is the Fraud Warning option enabled under Settings->Safari?

Re:

[teshuvah]

Yes, forgot to mention I am running iPhone OS 3.1. And yes, fraud warning is turned on in settings. What model of iphone do you have? how are you connecting - wireless or 3G/edge?

Re:

[nneonneo]

iPod touch, first generation, firmware 3.1.1 (released yesterday), WiFi.

Re:

[teshuvah]

3.1.1? I only have 3.1 and it says I am up to date. Maybe this is a bug in 3.1 for the iPhone but it works for the iPod touch 3.1.1?

Re:

[nneonneo]

It's basically the same version, but the iPhone edition is labeled 3.1, while the iPod edition is 3.1.1. I don't think there's a major difference in the actual software.

Still, it's quite curious that it works for me but not for you. This would explain Michael's more recent observations [zscaler.com].

Phishing vs. blacklists vs. whitelists

[Animats]

The trouble with phishing blacklists is that if you take a hard enough line to make them work, there's collateral damage. Blacklisting by URL is useless; most attackers with a clue use a different URL in each email. Even blacklisting by full domain is no longer enough; many attackers use a bogus subdomain for each phishing e-mail.

If you take a hard line and blacklist at the second-level domain, blacklists are more effective. We measure the collateral damage of doing that. We (as SiteTruth) maintain an