[cap-talk] Phishing with YURLs and Petnames
Jed at Webstart
donnelley1 at webstart.com
Tue Feb 14 21:30:25 EST 2006
At 05:59 PM 2/14/2006, Ka-Ping Yee wrote:
>On Tue, 14 Feb 2006, Tyler Close wrote:
> > You are assuming that the user will trust the insecure
> > introduction in preference to the secure one, never even trying to
> > validate against the previous and frequently used secure channel. I
> > think that's a stretch.
>Petnames are a much better tool than we have today, but i do not
>find this mode of failure as unlikely as you do. It really is not
>much of a stretch to believe that many users will ignore indicators
>that are outside their workflow. The workflow in this story (even
>with Petnames) is: read e-mail message, click on link in message,
>see webpage appear, fill in login form, click "Log in".
While in the current environment I agree the above can happen, I also
don't think it is all that difficult to change the environment (at least
technically) to the point where users are presented with clear tools
that identify trusted channels and they can follow the simple rule:
"Don't follow instructions from channels that aren't trusted"
>We know from common sense and usability research that users tend not
>to notice indicators outside their workflow. This was most recently
>reported in the paper, "Why Phishing Works", in which Rachna Dhamija
>found that lots of users don't notice the padlock, the URL scheme,
>or the colour of the URL bar.
I read the above paper. I must say that 22 participants seems a rather small
set on which to base their conclusions. I think a lot might depend on their
presentation. It seems to me that my attention gets much more focused
if I know that it's my bank account that I might be giving up access to, rather
than some test.
I also read with interest:
"Users' Conceptions of Web Security:
A Comparative Study":
However, I really think those setting up the tests are asking way too
much of the participants. Distinguishing, for example, between
"transit", "encryption", and "remote site" 'security' is demanding quite
a bit of users.
Of course there's an educational component to this issue of trust
and the Internet. I'm confident that by making the interfaces and
the model simple we can do better on the Internet that we're able to
do in the physical world.
> > Again, maybe a good story and a naive user
> > could make it happen, but that will always be the case.
>There is more we can do -- we can try to work the petname into the
>user's workflow somehow.
I agree. However, if you argue as above that even something as
simple as the little lock won't be acknowledged and will be ignored,
then it would seem pretty hopeless. I'm not nearly so pessimistic.
I believe most people can easily master the few skills they need
to only transfer trust from trust - if they are given effective tools
to identify trust.
More information about the cap-talk