Security/identity · 7 Jan 2009

Too many phish in the sea — all puny?

I’m blown away by this Microsoft Research paper, A Profitless Endeavor: Phishing as Tragedy of the Commons, discussed in the article There is No Money in Phishing (But It Still Won’t Go Away).

It’s a hugely contrarian viewpoint, but it’s strongly argued, and it also passes the smell test as far as I’m concerned. I’ve always wondered how much phishing really goes on, and how much it really pays off, compared to the estimates. I recall some news reports in the past year showing the numbers for identity theft finally dropping; the authors point out some of this could be due to new, more accurate methodologies rather than less phishing activity.

The authors self-referentially make the case that simply publishing accurate data about how much (or little) money there is in phishing could convince some would-be bad guys not to start. What other implications of this research might there be?

Does this outlook breathe new life into passwords as an authentication mechanism (not that they seemed to be going away), perhaps combined with mutual authentication techniques that are already pretty popular and easy to implement? The paper points out that real losses are less than individual users’ perceptions of same, due to recovery efforts undertaken by the website owners. Do enterprises still have to spend so much on recovery and mitigation that their incentive to look for more phishing-resistant technologies remains high?