Mac users urged to ditch Safari
Surfers should steer clear of Safari until it introduces better anti-phishing protection, a US consumer rights magazine has advised. Consumer Reports lists "thinking your Mac shields you from all risks" as one of the seven biggest online blunders that expose surfers to risk online. It advises Apple fans to consider using either …
"Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should," Consumer Reports said.
... Does that mean that anti-phishing gizmos are perfectly useless as whether people have them or not they still get had just as much?
Paris, coz she likes phishing too...
surely anti-phishing toolbars are like baby-proofing your house and then hiring the local paedo to babysit.
If most attacks are carried out through complete dickheads clicking on rogue links in their email and invitng attack then that's where the problem lies.
Don't get me wrong I'm not an Apple appologist but protecting idiots from their own stupidity is counter-evolutionary.
Paris because even she wouldn't be dumb enough to update her paypal details from an email link.
This survey states that the risk of a user falling victim to phishing is the same whether they're on a Mac & PC.
If this is the case, then how does the survey reconcile with the fact that most Mac users are using Safari (no phishing filters) and most PC users are using Firefox (with phishing filters)?
"Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar. To make matters worse, the browser of choice for most Mac users, Apple’s Safari, has no phishing protection. We think it should," Consumer Reports said.
So, Wintards, who have a plethora of these toolbars are just as likely to be scammed as Mactards who, by default don't (same rate of scamming).
So are they saying these toolbars do feck all?
I think that soundbite might need some re-wording. :)
Isn't that one of the plus points of Safari though? No nagging pop-up boxes.
No anti-phishing toolbars sounds pretty good to me.
If you're the kind of person who relies on a pop up to tell you that the link you've clicked on in your email might not be your proper banking site, perhaps you shouldn't be on the internet in the first place?
... who uses Safari as their browser of choice anyway? I know of one person, but they're a designer so make of that what you will.
The only reason I keep it around on my work Mac is for website testing - hell, even our Mac-using clients, of which there are a few, don't even use it and they're hardly what you'd call IT-savvy in a lot of cases.
Anyone who uses Safari for Windows is likely so in need of having their heads examined that phishing scams would be the least of their worries.
Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure.
"Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar."
"most PC users are using Firefox"
Last time I checked, 15% wasn't "most". You'd be thinking of IE there.
"...most PC users are using Firefox"
Really? I thought IE still was the dominant browser with ~75% of the market share?
Since IE is (mostly) Windows-only, I can't see how most PC users use Firefox... most of the sensible ones do, but these are the ones that all other things being equal might not be dumb enough to be phished anyway.
I was just about to say, I've never used an anti-phishing toolbar, purely because I trust in my own ability not to be fooled into giving away my details to dodgy sites.
It's good to see techies being arrogant and condescending to users who might not understand the intricacies of DNS, the HTTP protocol, HTML email, and how web browsers work. As in much of life the majority of users don't need to know how something works in order to use it, and so do need help and protection for when those things fail.
Next time you go for some tax or legal advice I hope the person behind the desk laughs at you for being so stupid as to not understand how HMRC or the Bar Council operate.
"who uses Safari as their browser of choice anyway?"
Not me, I use OmniWeb. Oh, wait ...
".....most PC users are using Firefox (with phishing filters)?"
That'll be your problem. I think you'll find that *most* (i.e Joe Public) PC users are using IE and a sizable chunk of those are still on IE6 or earlier.
The Safari security problem can only get worse. The majority of the people I know who are either thinking of moving to Mac or have already done so are taking the plunge because they find Windows too complicated and the Mac "Well, it's easier innit? Says so in the ads.". The lowest-hanging fruit around.
Hark, is that bleating I hear from the new, enlarged Mac community?
I wish people would stop using PC incorrectly. Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC.
That said, IE's still the dominant browser on PCs, sadly.
/Mine's the one with adjacent sibling selector capable browser.
"Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."
Really so Linux now comes with a gullible user patch?
You think you're a victim of fisting?
Oh, your bank-account has been emptied, don't you mean phishing?
OK, are you currently online? Great, please go to your start-page.
Yes, that's the first website you see when you open your webbrowser.
//-- STOP!!!!! --//
Before this gets out of hand, I'll just get to the clue here:
The number of people who can't even properly read out the URL of the website they are visiting is really massive, there is no protection for that.
They are the same people who are unable to distinguish between Yes and No when their OS asks them if they really, really, really want to erase their entire harddrive and external storage and who are still waiting for those Nigerian $$$, and, and, and ...
and ...
...
OmniWeb beats anything else hands down, but it is probably too much to ask to remember the names of more than 3 products.
And dammit, the users do fight to remain ignorant.
Everything you need to know is at wikipedia (search for phishing).
Either that, or they're still trying to work out how to read their emails, or trying to manipulate that stupid little mouse with thier twisted, inbred hands.
"Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC."
Nonsense. I have several BSD boxes and they are not PCs, they don't have any means to connect a keyboard nor a mouse and you could not use them for "personal computing" tasks, they are appliances, not PCs.
Similar situation with various appliances that run Linux.
"Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."
Seems to me your brain is powered by Complacency OS though, which is far more insecure than anything else.
I'm a total Mac head, but I'm not stupid.
I love my Mac, and my OS X, but I hardly ever use Safari on Mac OS or Windows.
Firefox is faster and safer as far as I can see.
Having said all that, Safari is STILL better than anything from Microsoft.
Plus, if you get sucked into a phising site, you deserve to have all your money stolen from you anyway.
"It's good to see techies being arrogant and condescending to users who might not understand the intricacies of DNS, the HTTP protocol, HTML email, and how web browsers work"
You've got a point there to be fair.
But not everything has to be dumbed down to the lowest common denominator. That's what pushed me away from IE (and eventually Windows) - the constant nannying.
"Look at me - I've got rid of a pop up for you"
"Look! Look! I've found a nasty phishing site"
"Look dad! Windows Defender (registered trade mark) has saved the day!"
Aargh!
"if you get sucked into a phising site, you deserve to have all your money stolen from you anyway."
I would have to disagree with that. Let's presume an old granny who has been given a Mac/PC to stay in contact with grand children. How is granny supposed to suspect that a link that says http://www.mybank.com is actually a link to http://www.yourfriendlyfraudster.cc ?!
Browsers and mail clients already have the ability built in to recognise that a given string is a URL. How difficult could it be to use the same library call to check that plain text string that accompanies the URL. If that string is a URL, too, and the two URLs do not match, then the data should be rejected altogether. It shouldn't be displayed because there is no legitimate use for presenting one URL as another URL, the only possible use for this is fraud, as simple as that. So why would any software display the fake URL, considering a) it is easy to detect and b) the only possible application is fraud.
I am not an Apple basher, but I have to agree with the notion that fake URLs should be censored by client apps. I wonder what would happen to a print shop if they allowed their equipment to be used for printing fake passports and driver's licenses. They could try to hide behind their customers all day long, they'd be in the dock alongside.
Tried them all, and Opera wins hands down, it does everyting the other do, and tonnes more...
That the same amount of Mac as Windows users get scammed
Except there are many many more Windows users
So a far higher % of Mac users get scammed than Windows user
As much as I HATE Macs, I do know that the average Mactard has (normally) a higher IQ than the run of the mill Windows fool.
This actually shows that the anti-phishing tech works well, protecting the brain dead and the moron "next,next,ok,next,ok,opps" crowd.
I don't know what's worse, a firefox fanboy or an Apple worshiper who says that Macs don't need anti-phisihing filters unless St. Steve says decrees it (like two-button mice, standard screen resolutions, Pentiums, Unix, etc...).
"Whether it runs Windows, Mac OS, Linux, BSD, DOS, OS/2, RISC OS, or any other flavour, or has no hard drive it's still a PC."
I think the the term Personal Computer although it should refer to Apple Macs as well is not used that way. Because the PC is an open design that may be manufactured by any company it is distinct from the Apple Mac that is not an open design. When people talk about the desktop or laptop computer they are referring to machines that probably are running MS Wndows.
Historically we are using a term that used to be "IBM PC" and this became shortened to PC - the key is the common hardware platform. The Apple Mac is not a PC becomes it doesn't have a common hardware platform as do all other personal computers.
I do my secure internet transmissions through an RS-232 serial cable that I've cut the end off, and just press the bare wires against my testicles. No phishing scam ever got past my boys!
Sorry did I say that out loud?
"Mac users fall prey to phishing scams at about the same rate as Windows users, yet far fewer of them protect themselves with an anti-phishing toolbar."
And GNU/Linux users rarely fall prey because to install and run GNU/Linux you need more than 64k of brain cells.
As far as I know most of them don't attempt to mask the URL in any way. From the many (very poorly written - surely they could just run spelling and grammar checks on them before sending them out??) phishing attempts I get in my email, the link is something like:
www.hsbc.com.34fg463fdgt567.nz/online_banking
i.e. the hsbc.com bit is a subdomain to the 34fg463fdgt567.nz bit.
Sounds easy to spot, but at a glance, cetainly for the end user, they see www.hsbc.com and they're fooled.
Still with the amount of money that is lost through this each year, I'm sure they could just ban hsbc.com and any other major banks names as a subdomain at a browser level. At least stick up a great big warning.
Interestingly tho, even though IE's phishing filter doesn't always seems to work very well, Outlook informs me with a big red banner that the email is a phishing attempt. aybe they have some of those kind of checks in there now too...
"Paris because even she wouldn't be dumb enough to update her paypal details from an email link."
Maybe, but she might not be a mac user! Most mac users seem to live in beautiful blissful ignorance of any security isues. That's how life really should be, and you techies should all make it like that for everyone.
But the trouble is that I reckon most Mac techies are so bloody arrogant and ignorant of anything non-arty that they could not even spot a phishing attack, hence no such feature in Safari, which also is a crap browser anyway.
Mac are not (ask Apple) PC. As soon a Apple put in its open source OS with candy interface on a PC it become a useless overprice pill of steaming.....
As far as the Safari, it was easly pretictable. Apple is not ready for the real world. it as no concept on security and it will take decades before it is even close to be safe to have a mac on the "net", a big part of it is the because the general IQ of a mac user is in the single digit.
Paris? because she is the perfect exemple of a typical mac user.
My only experience of Apple software is iTunes and Quicktime, usually temporarily forced upon me by a visitor unable to operate his or her precious iPod without them. Each time I'm confronted with the horror that is Apple's flagship bloatware duo I have to be sick a little bit in my mouth to stop part of me from rotting away inside.
Over the last dozen years I've watched Quicktime evolve from a mildly irritating, feature-crippled media player to a fully fledged pain in the arse resource hog feature-crippled media player. As for iTunes - seriously WTF? Simple, intuitive, user-friendly: all words that get bandied about, but iTunes is none of these things. WMP is useless crap but iTunes is in a league of its own.
I'll get back to you if and when I've had Safari forced down my throat and then garrotted in place with a supersoft black cotton rollneck - but I can't say I'm expecting any better.
Why would anyone willingly use this crud? Oh, that's right most people don't. They're locked into it because they think their iPod won't work without it, or they can't see a pissy little web clip unless they install 20MB of Quickbloat, or they've had Safari shoved up their drainpipe by Apple update... a small step from there to ignoring the default browser for links followed from inside other Apple apps, then let Safari wheedle and obfuscate its way to becoming the system default browser. Poor suckers.
Makes me sick, grinds my gears, won't somebody please think of the etc.
truly, it's bad bad bad. Well, on full-fat OSX anyway. None of the crashing or other unpleasant issues I have with it on my Mac seem to occur on my iPod Touch
Still, every OS has to have something bad about it.
@ A/C
I didn't say that because it runs one of those it MUST be a PC, what I meant is fact that a box runs something other than Windows doesn't mean it's not a PC
@ Geoff Edwards
I see your point, but the term was around before the IBM PC. The Apple Mac is a personal computer - intended to be used by one person at a time, unless you're using it as a server, appliance.... Also, "doesn't have a common hardware platform"? Don't think that's been true for a fair while now.
"Mac users make me laugh. I never have security problems like this, because I use Linux, which is far more secure."
I'm a day-to-day linux user myself, and granted, my machine is set up in a fail closed rather than a fail open way, so that ports are a) off by default, and b) turned off if the thing that uses them fails.
However, I don't agree with the primary premise of yours Adrian, mostly because it's unsubstantiated. Linux and Mac OS X, and even sometimes Windows, can be as secure as each other when configured properly. Therein lies the problem, as for the most part, the default configuration of Linux tends to be the slightly more secure than the other two, though this is by no means definitive (NB: I'm not comparing other OS's here, just the three main ones, and yes I know BSD is by it's nature even more secure). On the other hand, a user clicking on a link in an email, or on a website is not safeguarded by the OS in any way, shape or form. This is the realm of the browser, and ultimately the user to ensure they browse safely. Anti-phishing tech just allows the (usually) non-techie users to make an informed choice, which they'd otherwise not be able to do.
Not that all iTunes Store customers run Safari (despite Apple's earlier attempt to force feed the browser to Windows users), but a recent phishing campaign to get credit card and Apple ID credentials is aimed squarely at Apple customers. See writeup at spamwars.com/archives/2008/08/itunesapple_id.html.
Of course, El Reg readers are too smart for the crooks (as commenters would like us to believe), but it's the gazillion non-Reg readers who keep the spam and malware economies alive.
You have to laugh at the sheer pointlessness of the majority of comments here.
What's better, the Speccy or the C64?
"the PC is an open design that may be manufactured by any company it is distinct from the Apple Mac that is not an open design."
Not any more. Apple is now using motherboards designed by Intel, sold to anybody else who wants them. The only thing that is different now is the firmware, Apple uses Intel's EFI, other vendors still use BIOS.
“The Apple Mac is not a PC becomes it doesn't have a common hardware platform as do all other personal computers”
I have a Mac with "PC" on the front. OK, it's PowerPC but it's still a personal computer. I also have a RiscPC.
"You have to laugh at the sheer pointlessness of the majority of comments here."
Congratulations on keeping up that 100% pointless comment record.
By the time you launch the browser you've already fallen for the scam. The important thing is ALWAYS to read messages in PLAIN TEXT - even HTML-only ones. Then bogus URLs are obvious because they don't match the text link or they don't show at all so are harmless.
So the best advice is to use a sensible mail client like Messenger Pro on RISC OS which doesn't open mail in a browser unless you really, really want it to.
"the link is something like:
www.hsbc.com.34fg463fdgt567.nz/online_banking
i.e. the hsbc.com bit is a subdomain to the 34fg463fdgt567.nz bit.
Sounds easy to spot, but at a glance, cetainly for the end user, they see www.hsbc.com and they're fooled."
interesting, I didn't know that since I delete all mail purporting to be from a bank without looking at the content because my bank only use postal mail, never email to contact customers.
"Still with the amount of money that is lost through this each year, I'm sure they could just ban hsbc.com and any other major banks names as a subdomain at a browser level."
Why not go one step further and let browsers block any URL where .com/.net/.org shows up further left than second last position. I can see no reason why legitimate websites would want to use .com/.net/.org in the middle of a URL, again, the only possible application here is fraud, so block them. And this should be turned ON by default.
The point is - there is no anti twat knacker crap
I use Safari because i don't want the bloatware that is Firefox.
I can look after myself in cyberspace, I don't want some dumbed down crap that checks every site I visit for a third parties' approval.
Speccy or C64? Are you insane? It's the Beeb Model B...
Re: they are saying
"That the same amount of Mac as Windows users get scammed
Except there are many many more Windows users
So a far higher % of Mac users get scammed than Windows user"
Actually, they are saying the exact opposite:
"Mac users fall prey to phishing scams at about the same rate as Windows users..."
That is, that approximately the same >>percentage<< get taken, not that the same >>number<< do.
The level of erudite commentary in this thread beggars belief.
I've got a Mac... that runs Leopard and XP. I've got a PC... that runs XP and Linux. I've got a Linux box (it could run XP, but no point without a monitor or keyboard). They're all equally good. The browsers are all equally good too. OK, so some render pages better than others, but they all operate with varying degrees of slight wrongness. The question is not really one of "what's better". They all get the job done.
Going back to the original subject, the Internet is basically a dangerous place. You could use an analogy with cars. Give a learner a Ferrari, and he's likely to crash it quite soon. The fact that it has fantastic levels of grip, and phenomenal brakes, is not going to stop them ploughing off the road at the first available opportunity. You can give some PC users anti-virus, anti-spam, anti-phishing, anti-spyware, but it's not going to stop them ploughing off the road at the first sign of a tempting 419.
When I surf the Internet (with Safari on Mac by preference, but I'm not particularly partisan), I drive slowly, look well ahead, and keep my equipment regularly serviced.
Sign up, sign up for The Register's weekly IT security newsletter - click here
