Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Browsers, phishing, and user interface design
Scott Granneman, 2006-06-05

Phishing works for so many reasons, we need to rethink browser and user interface design to provide some real-life security to the average user who doesn't see or understand the security cues.

Comments Mode:
Sure. Lots of ideas... 2006-06-05
Anonymous (2 replies)
NO ACTIVE EMAIL.

That means... no working links. Image retrieval... maybe; but only optionally, and with a verification before loading.

HTML should only be used as a descriptive language in email messages, nothing else.

The next idea, of course, is to use E-mail standards. Text only. No HTM...

[ more ]  [ reply ]
Your First Statement Is Right 2006-06-06
Anonymous (1 replies)
No active e-mail. Period. Text, just like back in the days of Fidonet and in the original intent of Usenet.

If there's something fancier that needs to be done, throw it into a word processing document or some other appropriate format and attach it.

You suggested perhaps allowing image retrie...

[ more ]  [ reply ]
Re: Your First Statement Is Right 2006-06-07
Anonymous (1 replies)
sure ... someone taught me that security is not something tangible. It's a feeling and therefore there is no solution ! In your perfect solution you allow attachments to carry the 'active' content. I can surely trust aunt Sally to send me a pure text e-mail, telling me to check out her new desktop...

[ more ]  [ reply ]
Re: Re: Your First Statement Is Right 2006-06-08
Anonymous
The point is, however, that it would not be automatic. You would have to take a manual step to open that file. In which case, you would've had an intermediate opportunity to scan the file if you were concerned about it. Is it a little more inconvenient? Maybe a little. But the security provided...

[ more ]  [ reply ]
Re: Sure. Lots of ideas... 2006-06-24
Anonymous
that's not enough. how would a gullible user know not to copy & paste "www.example.com/i-phish-u/yourbankname.com.html" ?
they'll be used to it from copypasting other urls.....

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-06
Anonymous
Ok, I have an idea on how to make a lot of lay people aware of the many tricks on the web. And even make money while doing it. The first ten people that.... just kidding, but the idea might work if the right people get involved.

Make a movie, a comedy, about some Joe Schmoe (Eddie Murphy) falling...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-06
TJ
It is fitting that this article contains such words as naiveté, unaware, ignorance, unskilled, and incompetent. Because that is the problem! The solution will not be in redesigning anything, but in teaching the masses how to think critically again.

Part of the reason for the lack of critical thin...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-06
Anonymous (1 replies)
If the user doesn't click the link in their email, it doesn't matter whether or not they pay attention to padlock icons, or if they think the site is safe because it's got a favicon. (obviously those things are still issues for other reasons however.)

Trying to address the phishing problem by fix...

[ more ]  [ reply ]
Re: Browsers, phishing, and user interface design 2006-06-06
Anonymous (2 replies)
> one of the best ways I can think of to help users avoid phishing is to have them read email in plain text.

That might work if the only links people received via email were phishing. The problem is that people receive both good and bad links in their email and they don?t know which links are ...

[ more ]  [ reply ]
Re: Re: Browsers, phishing, and user interface design 2006-06-08
Anonymous
Not exactly. The user would then be copying in the actual URL and not accidentally going somewhere completely different because a malicious e-mail had a different destination listed in HREF field of the anchor tag. The URL would be fully visible....

[ more ]  [ reply ]
Re: Re: Browsers, phishing, and user interface design 2006-06-16
Anonymous
If they can't copy and paste, they need the computer taken away.
My 6 year old and 70 year old mother can both handle that simple task....

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-06
infamous41md
In the immortal words of someone, "No s#$t!"

I don't see how any of this information is actually surprising unless you live under a rock infested solely with geeks. Until the issue consistently gets more attention in mainstream media there are going to be many people who just don't understand/ca...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-06
Todd Knarr
From a technical standpoint, I don't think there's much that can be done. This isn't really a technical problem. The best we might be able to do is to add an identity filter to browsers. Basically, an easy way to say "I'm about to talk to *this* entity. Accept only servers who can validate against t...

[ more ]  [ reply ]
Email should be as in the begining: text ONLY 2006-06-07
Anonymous
in the begining email was text only and since we basically are still using the same old standard and protocols for emailing then we should really go back to text only.
that extend to all the current protocols, they are old and the web, as you said, got more complex. i think it's time to rethink the...

[ more ]  [ reply ]
Well, lets hope we find White Hats 2006-06-07
Anonymous
Just like the early days when the internet was finally accessable for not just the MIT grad but everyone else, the risk of abuse was high with so many clueless users in a media that had been dominated by "techies" for years. Since Phishing isn't exactly new I don't hear of too many White Hats comin...

[ more ]  [ reply ]
Education & Two-factor authentication 2006-06-07
Wolfy
Need I say more? Well, probably yes.

The article successfully points out that educating users into the various security features present in the web browser is one thing, but when even experienced users fall for the 'vv = w' in a phishing URL, there is something that the legitimate site needs to ...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-07
GeeksAreSexy
I read this sentence somewhere recently, not sure where, but it caught my attention: "Security is a process, not a product"

I think this sentence resumes the situation fairly well, the only way we'll be able to sensibilize people to the plague that is phishing is by educating them about security....

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-07
Anonymous
The best learning comes from the experience. Nothing to do with the interface for this matter.
Of course, it´s not a reason to leave the user alone....

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-07
Andydread
I also think education is PART of the solution.
I think of all the ideas I have seen posted up above the best and most effective would be a hit comedy. If you really think about it. Many people here suggested education as part of the solution but the masses do not care to be educated. Think abou...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-07
Glenn
The weak link is, of course, the human/user. And, of course, the answer is to take a stand now, suffer the "inconvenience" of thinking about future generations rather than security-fire-putting-out.

To wit, we should be allocating much more of our GDP to education -- proper education that teache...

[ more ]  [ reply ]
Send them to AOL 2006-06-07
Anonymous
I don't want my Internet experience compromised and dumbed down just because everyone else is an idiot.
...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-08
Anonymous
One thing we did, back in DOS days, to get the user to confirm a dangerous action was to change the confirm box.

One system the user had to key a word in like, "Y" or "YES" or "OK", it changed randomly.

Another changed order of buttons, the text on them and the way the question was phrased. S...

[ more ]  [ reply ]
The article tells tells you atleast one simple answer 2006-06-08
Matthew
Degrade the content within self cert sites for a start...
Screw with the text (introduce spelling mistakes, or changel all the text to Times New Roman)

Screw with the layout (insert table borders).

Screw with the images (render them all as jpegs
with quality set to 10%)

Instead of pop...

[ more ]  [ reply ]
Stop babying people 2006-06-09
Anonymous
We're moving more and more towards a nanny state. In the real world, you would examine every clue in front of you before parting with important personal information, bank details or money.

Yet, when someone goes online and fails to exert the same scrutiny to a transaction, it's the fault of th...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-09
Ron Jennings
This is a very well written article, as always.
I truly enjoy your work and I know a lot of hard work goes into it. That being said, I should get to the reason I wanted to post.

This all proves one thing. A fact I have been drilling into my users for some time. The most important skill u...

[ more ]  [ reply ]
Wrong end to start patching 2006-06-12
Thomas Nilsen (1 replies)
Phishing is only one of many problems with the internet as we know it today. Why not start doing something that can contribute to fix more than one specific issue at a time.

1. Limit SMTP access on ISPs outbound network. Home users do not need access to all the worlds SMTP servers. They should be...

[ more ]  [ reply ]
Re: Wrong end to start patching 2006-06-12
Anonymous
Because it is silly.

1. & 2. ok.

Since most of the spam being generated comes from zombie windows boxes, they will just funnel through the ISP until the ISP notices (which usually takes a complaint...).

The end result is no change.

One reason most people do go direct to mail servers is e...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-06-14
Andre
the funniest bit about this article is how much Scott seems to be taken by this concept. These kind of studies, that is Usability and Security, are becoming more frequent as more people look at this. There is actually a book title "Usability and Security" that is a few years old on this very subje...

[ more ]  [ reply ]
Ingredients of possible solutions 2006-06-16
S. Lo Presti
Hi,

This problem relates to issues that are studied in the field of "trust", for example "feelings of security".

You're here digging into one of the most difficult issue, the one of bridging the gap between the objective aspects of trust (well-known security, website design, browser cues, etc....

[ more ]  [ reply ]
Users ignore alert messages... 2006-06-20
Anonymous
...because they try to explain, in a single popup with a nice "OK" button in the middle, what the whole story behind that alert is all about.

Consider this: the user is just trying to browse a site and the browser comes up saying "wait a moment: I have to tell you a long but interesting story".
...

[ more ]  [ reply ]
simple: 2006-06-24
ailaG
simple: users don't listen to anything that has technical language or icons that aren't as clear as possible and as large and central as possible (they won't look at the lock icon because a. there are plenty of meaningless icons there, b. it's too far away from the site itself and c. iirc, ie always...

[ more ]  [ reply ]
Browsers, phishing, and user interface design 2006-07-03
wurzlsepp
Hi all,

I haven't read all the comments, so maybe my
idea is already commented above.

What about using the centralized data base as
described above, showing a warning pop up and
additionally playing some sound?
Maybe people are more receptive if there are not
only visual elements but als...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus