Re: New Use Case for W3C WSC from Bob Pinheiro on 2007-08-24 (public-wsc-wg@w3.org from August 2007)

From: Bob Pinheiro <Bob.Pinheiro@FSTC.org>
Date: Fri, 24 Aug 2007 12:34:52 -0400
To: public-wsc-wg@w3.org,"Ian Fette" <ifette@google.com>
Message-id: <0JNA00BT4E47ESB2@vms042.mailsrvcs.net>
Yes, there well may be an issue with users invoking SBM before 
clicking a link in their email.  That's why I proposed that one 
alternative might be to remove that issue by making the user's 
computer (email client? browser?) "smart" enough to sense that when 
an email might potentially be from a bank, the browser could prompt 
the user and ask if SBM should be invoked.  So I am assuming some 
sort of "intelligent" link between the email client and the browser, 
with the email client triggering the browser to invoke a procedure 
for prompting the user to invoke SBM based on some keywords or 
phrases in the email header.  But is that so wrong?   It may not 
exist today - all I am suggesting is that it might be one avenue to 
consider (and not necessarily by this group) as a way to prevent 
users from visiting fraudulent banking sites by clicking on email 
links if they haven't first invoked SBM.   But this is getting of the 
beaten track, I guess......

At 11:55 AM 8/24/2007, Ian Fette wrote:
>This is going to rapidly take me down a divergent path, but I shall 
>follow said path anyways.

>One of the biggest problems I have with SBM is invocation. You can't 
>really expect users to invoke SBM before clicking a link in their 
>email, because when they're reading their email their browser might 
>not even be open (except for all the wonderful gmail users out there 
>;-). But seriously, when you click on a link in Thunderbird or 
>Outlook or Lotus Notes or whatever it is that you use to read email, 
>that email program just knows that it's supposed to open that link 
>in a browser (sometimes... if it has no clue, it might just 
>shellexecute the URL and let the OS figure out what to do with it). 
>Either way, unless the default browser is set to "Browser with SBM 
>Mode Turned On", links from email are going to get loaded in non-SBM mode.
>
>So, let's now go back to your response. Let's say that the user is 
>educated enough to understand that SBM should be invoked before 
>visiting any banking websites. (I personally find this a troublesome 
>assumption, but let's run with it). Is the user then supposed to 
>start a web browser, enter SBM mode, and then cut and paste the link 
>from their email? That's a usability disaster, and I doubt anyone 
>would actually figure out that those steps were required. Even if a 
>user opens a browser and starts SBM, clicking on a link in an email 
>program would very likely just start a new browser window (probably 
>without SBM enabled... and when a user is in SBM mode, do you really 
>want links from external programs to be able to clobber the current 
>window?).  In my mind, we're heading for a usability disaster here.
>
>Further, in your use case below, you're assuming a strong tie-in 
>between a user's MUA (email client) and their browser, which is 
>often not the case. In some cases the two are strongly tied 
>together, but in many cases when an email client gets a URL and the 
>user clicks on it, it just throws the URL to the operating system 
>and says "deal with it". And we're already well down the path of 
>suggesting extensions to MUAs (email clients) to do machine learning 
>to detect possible bank-like emails, and I fear this is getting way 
>out of scope of the WG...
>
>On 8/24/07, Bob Pinheiro 
><<mailto:Bob.Pinheiro@fstc.org>Bob.Pinheiro@fstc.org> wrote:
>I think there may be a tie-in here with Safe Browsing Mode.  Suppose 
>the user is educated enough to understand that SBM should be invoked 
>before visiting any banking websites.  Then upon seeing the email, 
>the user should invoke SBM before clicking on the apparent banking 
>link.  If that is done, then instead of displaying the ERROR 404 
>message, the user should see whatever is displayed by SBM when the 
>user attempts to visit a non-safe website.
>
>But if it is true that "education does not consistently produce the 
>results desired", then there may be numerous times when even users 
>who are aware of SBM do not actually invoke it when they should; 
>that is, before visiting banking websites.  So a question worth 
>asking might be: can a user's browser be made "smart" enough to 
>sense that a website that the user wants to visit might possibly be 
>a banking website?  The user can easily sense this because the Use 
>Case says that the email claims to be from the user's bank.    If 
>the user's computer can somehow "read" the email header, it might 
>display a message saying "I sense that you are attempting to visit a 
>possible banking website.  However, it is possible that this is a 
>fraudulent website.  Would you like me to invoke Safe Browsing Mode 
>to prevent you from visiting a fraudulent site?"  The user could 
>respond, Yes or No.
>
>Some sort of artificial intelligence that could read and interpret 
>email headers might be needed, possibly triggered by certain 
>banking-like keywords or phrases in an email header.  I don't know 
>if such exists, or if it does, whether it is "ready for prime time" 
>and would produce reliable results.  But it might be one possible 
>answer to the dilemma of needing to educate users to do certain 
>things to protect themselves online.
>
>At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:
>
>>We have two sections in wsc-usecasee that touch on education:
>>
>><http://www.w3.org/TR/wsc-usecases/#learning-by-doing>http://www.w3.org/TR/wsc-usecases/#learning-by-doing
>>
>>http://www.w3.org/TR/wsc-usecases/#uniformity
>>
>>The first says that experience shows that while users learn, 
>>education does not consistently produce the results desired.
>>
>>The second cites on study that shows that education does not impact 
>>susceptability to phishing. It's possible that Brustoloni's latest 
>>shows that as well:
>>
>><http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf>http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf 
>>is more hopeful, but shows no transfer to "realistic" behavior, in 
>>a study or in the wild.
>>
>>I gather from the discussions with the usability evaluation folks, 
>>they believe they can address education.
>>
>>Personally, I'm not a believer in direct education, mostly because 
>>no one's brought up a single data point where users were directly 
>>educated to do something, and did it, even when they had options 
>>that were more attrractive for some reason (e.g. more familiar, 
>>easier).  All the promising anti phishing research makes sure that 
>>the secure option is the most attractive (or at least comparably attractive).
>>
>>On the other hand, I do believe that in circumscribed oganizations, 
>>like the military and large companies, a system of education, 
>>reward, and punishment can be (and is) set up to change user 
>>behavior. I would again refer to 
>><http://www.acsa-admin.org/2002/papers/7.pdf>http://www.acsa-admin.org/2002/papers/7.pdf 
>>as showing an upper bound on how successful that can be with the 
>>option is not the most attractive (order of 30% of the overall population).
>>
>>I would be more comfortable with an education use case if we said 
>>more somewhere about how we'll come to terms with it. Do the 
>>usability evaluation folks know how we'll do that?
>>
>>           Mez
>>
>>
>>
>>
>>[]
>>
>>New Use Case for W3C WSC
>>Dan Schutzer to: public-wsc-wg
>>08/24/2007 07:52 AM
>>
>>Sent by:<mailto:public-wsc-wg-request@w3.org>public-wsc-wg-request@w3.org
>>Cc:"'Dan Schutzer'"
>>
>>
>>
>>
>>----------
>>
>>
>>
>>I'd like to submit a new use case, shown below, that several of our 
>>members would like included. It looks for recommendations on how to 
>>educate customers who have fallen for a phishing email, and improve 
>>the type of response customers generally get today when they try to 
>>access a phishing site that has been taken down. I hope this is not 
>>too late for consideration.
>>
>>Use Case
>>
>>Frank regularly reads his email in the morning. This morning he 
>>receives an email that claims it is from his bank asking him to 
>>verify a recent transaction by clicking on the link embedded in the 
>>email. The link does not display the usual URL that he types to get 
>>to his bank's website, but it does have his bank's name in it. He 
>>clicks on the link and is directed to a phishing site. The phishing 
>>site has been shut down as a known fraudulent site, so when Frank 
>>clicks on the link he receives the generic Error 404: File Not 
>>Found page. Frank is not sure what has occurred.
>>Destination site
>>
>>prior interaction, known organization
>>Navigation
>>
>>none
>>Intended interaction
>>
>>verification
>>Actual interaction
>>
>>Was a phishing site that has been shut down
>>Note
>>
>>Frank is likely to fall for a similar phishing email. Is there some 
>>way to educate Frank this time, so that he is less likely to fail 
>>for the phishing email again?
>>
>>
>
>
>
>Content-Type: image/jpeg; name=9faa15.jpg
>Content-ID: <7.1.0.9.0.20070824105938.01b6d470@bobpinheiro.com.1>
>X-Attachment-Id: 0.1
>Content-Disposition: inline; filename="9faa15.jpg"
>
Received on Friday, 24 August 2007 16:37:46 UTC