McAfee Site Advisor in damage control after the release of the 3sharp report
As noted in this blog post, McAfee's SiteAdvisor scored an extremely low 3 out of 200 (putting them in last place) in the 3sharp antiphishing tools test released just the other day.
McAfee are now crying foul. Shane Keats has posted to my blog, and to the IE blog, disputing the inclusion of McAfee's Site Advisor in the tests because, in his words, McAfee "[doesn't] offer anti-phishing".
McAfee's online response can be found here (unfortunately they don't seem to use RSS
, nor do they have unique links for individual blog posts):
So, I went to have a look at the SiteAdvisor site to see what it *does* say. The SiteAdvisor site says that it warns of "fraudulent practices" and has tested "sites representing more than 95% of worldwide Web traffic" and performs "tens of thousands" of tests every day (but phishing sites aren't included??)
"Web sites are tested for excessive pop-ups, fraudulent practices, and browser exploits."
There is no mention of excluding phishing sites here either:
"SiteAdvisor is a consumer software company dedicated to protecting Internet users from all kinds of Web-based security threats and annoyances including spyware, adware, unwanted software, spam, pop-ups, online fraud and identity theft."
Perhaps McAfee should be more specific about what they consider to be "fraudulent practices", "online fraud" and "identity theft" and add a very clear statement that they do not protect from phishing in the FAQ in addition to the Support Centre URL Shane cites (people will not go to the support site unless they have problems).
Then I read Paul Robichaux's blog. He's also been contacted by Shane Keat and has some interesting points to share:
Of particular concern is this comment:
"On August 3rd, I spoke via phone with both Craig Kenwec of McAfee and Scott Van Sickle of Global Fluency, a PR agency that handles client-security PR for McAfee. Both of them told me that SiteAdvisor incorporates anti-phishing functionality"
Here's the thing McAfee. Comments in the Support Centre, that users will not see unless they go looking for support, or in a blog, which your users may not read, are not a sufficient disclaimer. Not when we take the rest of your site (and your own employee's and PR firm's comments) into consideration.
Why am I being so hard on McAfee about this? Not because they "lost" or IE7 "won", but because protection of users is my primary concern. As noted by the Anti-Phishing Working Group, and as I have seen in my own tests, phishing sites may attempt to download keyloggers and other dangerous software, and may attempt to take advantage of known Web browser exploits, to infect systems.
Phishing sites can be extremely dangerous and if SiteAdvisor is going to disclaim protection from phishing sites and their users will not be protected, then their users deserve, nay they NEED, such a disclaimer to be clearly communicated to them right from the start, and not have the information buried in a support site or a blog. And they certainly don't deserve to be misled by statements on the SiteAdvisor site like those highlighted above.
SiteAdvisor need to make it very very clear that they are disclaiming protection against phishing sites. Reality is that SiteAdvisor users are assuming that they are protected from phishing, and they are not being dissuaded from this misapprehension by the FAQ or the Learn More page, and will not be dissuaded unless and until they visit the SiteAdvisor Support Site and/or the SiteAdvisor blog.
Oh, and McAfee, do me a favour and change your home page. In my world phishing sites *are* "online scams":