One of the many new security features introduced with the Microsoft’s new Internet Explorer 7 web browser is the Anti-Phishing Filter. This will be a welcome security addition for most users as phishers are targeting more and more people, trying to lure them into giving up their passwords, account details and credit card numbers.
How well does the Anti-Phishing Filter in the second beta of IE7 work, though?
Armed with a recent emailed phish for Kiwibank, I took on the role of a hapless user waiting to be hooked. IE7 beta 2 ran on Windows XP with all updates and default security settings, and the Anti-Phishing Filter was set to automatically check websites.
Windows Live Mail didn’t like the message, and disabled images and links in it to prevent me from harming myself.
That’s excellent but, for the sake of the test, I turned off Live Mail’s security measures so I could click through to the site, which bore all the hallmarks of a phishing site. The URL is different from the expected www.kiwibank.co.nz, it isn't HTTPS secured and the CAPTCHA characters to prevent scripted logins never changed.
Despite all the clear indications that it was a bogus site, IE7’s Anti-Phishing Filter didn’t bat an eyelid. I asked the phishing filter to check it manually, but, again, IE7 said, all is well.
Testing with just one phishing message is, naturally, not a conclusive test of the phishing filter’s capabilities. However, the dialog box unequivocally states, “This website is not a suspicious or reported phishing website”. In other words, Microsoft and IE7 have just told you the website is fine. I expect that some less experienced users would trust such a statement.
As IE7 didn’t recognise it, I decided to do the right thing and report the phishing website. You can do this straight from the Phishing Filter “Report This Website” item in the Tools menu on IE7.
It’s a straightforward webform, where the URL for the website you want to report is visible. Users are asked to confirm the language of the site and tick a box that indicates they believe it’s a phishing site. Then you press a Submit button and are presented with a rather elaborate CAPTCHA:
Many users will stumble on this page as it’s too hard to read the CAPTCHA. If, nevertheless, you figure out the Captcha characters and enter them correctly, to conclude the reporting, the confirmation page reads:
That’s it — no indication as to what happens next. How long before the site is checked? Microsoft doesn’t give any estimate on this.
Furthermore, there’s no way to locally mark phishing sites as such, which is a real miss. Checking the site again manually brings up the dialogue that states it’s not a phishing site.
This is poor user-interface design that confuses users and, possibly, leads them to take dangerous actions.
Microsoft New Zealand’s chief technology officer, Brett Roberts, had a look at the issues encountered and agreed that Computerworld’s testing raised some valid points.
Roberts forwarded the results to Redmond and says Microsoft has taken the feedback onboard. The IE7 Anti-Phishing Feature team will make changes to the dialog box and the final web form, Roberts says, to make it clearer to users what is actually happening.