Computer Crime Research Center


Phishing experiments hook net users

Date: November 10, 2005
Source: PR Newswire

BEDFORD, Mass., Nov. 7 /PRNewswire/ -- How likely are you to be wooed into
a false sense of security by a friendly face or the promise of a cash prize?
Armed with clipboards, pencils and matching "I LOVE NY" shirts, a team of
surveyors recently set up shop in New York's Central Park on behalf of RSA
Security to find out how much personal information consumers would give up
while participating in a survey supposedly about tourism in the city.

The situation was deliberately constructed to feel official and safe, much
as online phishing attacks try to convince customers of their legitimacy with
real logos and industry terminology. In this experiment, the questions were
aimed at uncovering the type of 'innocent' information -- mother's maiden
name, favorite sports team, date of birth -- that people commonly use as
passwords but do not generally think they need to protect.

The survey revealed that most consumers freely give up personal data,
which can be used to guess their account passwords or to steal their identity
outright. Four key findings demonstrate that the vigilance that should be used
to protect computer passwords is worryingly absent in spite of current

* More than 70% of respondents gave up their mother's maiden name
* More than 90% of people provided both their date and place of birth
* Nearly 55% explained how they devise their online passwords
* Nearly 85% of respondents provided their full name, current street
address, and email address

A small number of survey takers declined to answer a question asking how
they devised their passwords, stating that this request was "too personal" or
that they "don't give out that information." The same people, however, had no
problem handing over their date of birth and mother's maiden name, which
suggests consumers often aren't aware of "back doors" into their accounts.

"A lot of personal information actually functions like a password and, as
such, needs to be robustly protected," commented Chris Young, vice president
of consumer authentication services at RSA Security. "Many consumers have
called their credit card company to check their account and been asked for
their mother's maiden name as a personal identifier. On top of this, with a
bit of sleuthing, motivated phishers can guess what a New Yorker's password is
just by having his address and trying combinations that assume he's a fan of
the Yankees or the Knicks. Our survey reminds us that we all need to be more
aware of such vulnerabilities, and take appropriate precautions."

Recent research from the Federal Trade Commission notes that damage and
loss resulting from ID theft and cyber-crime among American adults have
increased to nearly $50 billion annually (i). Attackers are continually
finding new ways to dig up personal data. Consumers are advised to take the
following steps to keep their private accounts and identity secure:

* Do not share your password -- or your method for devising your password
-- to anyone
* Be prudent with personal details including your mother's maiden name,
place of birth and date of birth (these details can be used as
passwords or as inspiration for passwords)
* Use a variety of passwords -- not a universal one for all of your
* Check to see if your online service providers (banks, ISPs, auction
sites) offer security products that provide more robust protection
against unauthorized access to your account

Survey Description and Methodology

The RSA Security Life Questions survey was conducted in New York City
between August 24 and September 6, 2005. Questions ranged from essentially
harmless "Is this your first visit to New York City?" to more sensitive
requests such as the participant's date and place of birth, mother's maiden
name, children's names, pet's name, favorite sports team, their methodology
for creating passwords, full mailing address and more. 108 respondents took
part and completed the 18-question in-person survey. Consumers who declined
participation were not included in the final analysis of survey respondents.
All of the gathered data was returned to respondents immediately.

About RSA Security Inc.

RSA Security Inc. is the expert in protecting online identities and
digital assets. The inventor of core security technologies for the Internet,
the company leads the way in strong authentication and encryption, bringing
trust to millions of user identities and the transactions that they perform.
RSA Security's portfolio of award-winning identity &access management
solutions helps businesses to establish who's who online -- and what they can

With a strong reputation built on a 20-year history of ingenuity,
leadership and proven technologies, we serve approximately 19,000 customers
around the globe and interoperate with more than 1,000 technology and
integration partners. For more information, please visit
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo