Clarity of links
A couple of days ago, I pointed to a paper on Why phishing works. The more I think about it, the more I realize—as the paper interprets—that the warnings and notifications are not distractive enough for normal users going on click-rampage.
Phishing works by camouflaging everything except the URI (the actual web address). If the web link were to point to some suspicious web address when the label of the link says PayPal, users should be concerned.
The highlighting of the address bar is a brilliant idea, as implemented in Firefox, to let users know that they are indeed using a secure site for transaction.
In contrast, see the notification (below) in Internet Explorer (6.0) actually scares people away by popping-up a security alert! Absolutely ridiculous! How will people begin to trust when you distract them on genuine sites, when this should really happen on those dubious phishing sites instead?
Thankfully Internet Explorer 7 will have none of this nonsense. But is it enough? The afore mentioned paper seems to suggest that it is not.
A proposal: How about showing the actual address in a tool-tip when the user hovers over a link? The tool-tip has to be instant not in a second’s delay (as it is now for all tool-tips in browsers), or else the user will fail to see it.
(Image courtesy: Dunstan Orchard)
This simple implementation in browsers could save users from clicking on a fradulent site and getting conned in the process.
Update: While the browser implementation would help webmail users identify phishing links, the insta-tool tip feature should be implemented in email clients too, since most outbound links are clicked via the e-mail client. How about Outlook, Outlook Express, Lotus Notes and Thunderbird for starters?
It’s a good thought, as long as all users are happy to allow web objects and java scripts on their hosts. If you observe some of the recent phishing trends, it leads you into more of social engineering attacks than just plain old paypal-ebay style phishing. The move here should be of security based on application level than just showing people what they might be clicking on.
May 31, 06 at 06:04On a similar note, I know of atleast 10 CS graduates who have clicked and installed “smiley central malware loaded” stuff on their computer. People who understand consequences of phishing don’t need anything else than what’s already there. For people ignorant to such concepts, a solution needs to be enforced rather than giving them a choice.,
Sumeet: I am talking about application level notification by enhancing the existing tool-tip feature within browsing and email applications.
Tool tip is independent of browser settings for web objects or javascripts, so it wouldn’t matter if they are turned-on or not.
Software is always about choice. Restrictions can never be enforced. That is the democracy of the web/software/platform. So the choice should be for the users to decide what’s right for them.
I am sure the same CS students would be more careful on their personal computers than those public machines on campus they use without care.
May 31, 06 at 06:31