RE: New Use Case for W3C WSC

Actually it does exist today for some email clients

 

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On
Behalf Of Bob Pinheiro
Sent: Friday, August 24, 2007 12:35 PM
To: public-wsc-wg@w3.org; Ian Fette
Subject: Re: New Use Case for W3C WSC

 

Yes, there well may be an issue with users invoking SBM before clicking a
link in their email.  That's why I proposed that one alternative might be to
remove that issue by making the user's computer (email client? browser?)
"smart" enough to sense that when an email might potentially be from a bank,
the browser could prompt the user and ask if SBM should be invoked.  So I am
assuming some sort of "intelligent" link between the email client and the
browser, with the email client triggering the browser to invoke a procedure
for prompting the user to invoke SBM based on some keywords or phrases in
the email header.  But is that so wrong?   It may not exist today - all I am
suggesting is that it might be one avenue to consider (and not necessarily
by this group) as a way to prevent users from visiting fraudulent banking
sites by clicking on email links if they haven't first invoked SBM.   But
this is getting of the beaten track, I guess......

At 11:55 AM 8/24/2007, Ian Fette wrote:



This is going to rapidly take me down a divergent path, but I shall follow
said path anyways.





One of the biggest problems I have with SBM is invocation. You can't really
expect users to invoke SBM before clicking a link in their email, because
when they're reading their email their browser might not even be open
(except for all the wonderful gmail users out there ;-). But seriously, when
you click on a link in Thunderbird or Outlook or Lotus Notes or whatever it
is that you use to read email, that email program just knows that it's
supposed to open that link in a browser (sometimes... if it has no clue, it
might just shellexecute the URL and let the OS figure out what to do with
it). Either way, unless the default browser is set to "Browser with SBM Mode
Turned On", links from email are going to get loaded in non-SBM mode. 

So, let's now go back to your response. Let's say that the user is educated
enough to understand that SBM should be invoked before visiting any banking
websites. (I personally find this a troublesome assumption, but let's run
with it). Is the user then supposed to start a web browser, enter SBM mode,
and then cut and paste the link from their email? That's a usability
disaster, and I doubt anyone would actually figure out that those steps were
required. Even if a user opens a browser and starts SBM, clicking on a link
in an email program would very likely just start a new browser window
(probably without SBM enabled... and when a user is in SBM mode, do you
really want links from external programs to be able to clobber the current
window?).  In my mind, we're heading for a usability disaster here. 

Further, in your use case below, you're assuming a strong tie-in between a
user's MUA (email client) and their browser, which is often not the case. In
some cases the two are strongly tied together, but in many cases when an
email client gets a URL and the user clicks on it, it just throws the URL to
the operating system and says "deal with it". And we're already well down
the path of suggesting extensions to MUAs (email clients) to do machine
learning to detect possible bank-like emails, and I fear this is getting way
out of scope of the WG... 

On 8/24/07, Bob Pinheiro <Bob.Pinheiro@fstc.org> wrote:

I think there may be a tie-in here with Safe Browsing Mode.  Suppose the
user is educated enough to understand that SBM should be invoked before
visiting any banking websites.  Then upon seeing the email, the user should
invoke SBM before clicking on the apparent banking link.  If that is done,
then instead of displaying the ERROR 404 message, the user should see
whatever is displayed by SBM when the user attempts to visit a non-safe
website.  

But if it is true that "education does not consistently produce the results
desired", then there may be numerous times when even users who are aware of
SBM do not actually invoke it when they should; that is, before visiting
banking websites.  So a question worth asking might be: can a user's browser
be made "smart" enough to sense that a website that the user wants to visit
might possibly be a banking website?  The user can easily sense this because
the Use Case says that the email claims to be from the user's bank.    If
the user's computer can somehow "read" the email header, it might display a
message saying "I sense that you are attempting to visit a possible banking
website.  However, it is possible that this is a fraudulent website.  Would
you like me to invoke Safe Browsing Mode to prevent you from visiting a
fraudulent site?"  The user could respond, Yes or No.  

Some sort of artificial intelligence that could read and interpret email
headers might be needed, possibly triggered by certain banking-like keywords
or phrases in an email header.  I don't know if such exists, or if it does,
whether it is "ready for prime time" and would produce reliable results.
But it might be one possible answer to the dilemma of needing to educate
users to do certain things to protect themselves online.  

At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:




We have two sections in wsc-usecasee that touch on education: 

http://www.w3.org/TR/wsc-usecases/#learning-by-doing

http://www.w3.org/TR/wsc-usecases/#uniformity

The first says that experience shows that while users learn, education does
not consistently produce the results desired. 

The second cites on study that shows that education does not impact
susceptability to phishing. It's possible that Brustoloni's latest shows
that as well: 

http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more hopeful,
but shows no transfer to "realistic" behavior, in a study or in the wild. 

I gather from the discussions with the usability evaluation folks, they
believe they can address education. 

Personally, I'm not a believer in direct education, mostly because no one's
brought up a single data point where users were directly educated to do
something, and did it, even when they had options that were more attrractive
for some reason (e.g. more familiar, easier).  All the promising anti
phishing research makes sure that the secure option is the most attractive
(or at least comparably attractive). 

On the other hand, I do believe that in circumscribed oganizations, like the
military and large companies, a system of education, reward, and punishment
can be (and is) set up to change user behavior. I would again refer to
http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper bound on how
successful that can be with the option is not the most attractive (order of
30% of the overall population). 

I would be more comfortable with an education use case if we said more
somewhere about how we'll come to terms with it. Do the usability evaluation
folks know how we'll do that? 

          Mez





[] 

New Use Case for W3C WSC

Dan Schutzer to: public-wsc-wg

08/24/2007 07:52 AM

 

Sent by:  <mailto:public-wsc-wg-request@w3.org> public-wsc-wg-request@w3.org


Cc:"'Dan Schutzer'"




  _____  





I'd like to submit a new use case, shown below, that several of our members
would like included. It looks for recommendations on how to educate
customers who have fallen for a phishing email, and improve the type of
response customers generally get today when they try to access a phishing
site that has been taken down. I hope this is not too late for
consideration.

Use Case

Frank regularly reads his email in the morning. This morning he receives an
email that claims it is from his bank asking him to verify a recent
transaction by clicking on the link embedded in the email. The link does not
display the usual URL that he types to get to his bank's website, but it
does have his bank's name in it. He clicks on the link and is directed to a
phishing site. The phishing site has been shut down as a known fraudulent
site, so when Frank clicks on the link he receives the generic Error 404:
File Not Found page. Frank is not sure what has occurred.

Destination site 

prior interaction, known organization

Navigation 

none

Intended interaction 

verification

Actual interaction 

Was a phishing site that has been shut down

Note

 

Frank is likely to fall for a similar phishing email. Is there some way to
educate Frank this time, so that he is less likely to fail for the phishing
email again? 

 

 


Content-Type: image/jpeg; name=9faa15.jpg
Content-ID: <7.1.0.9.0.20070824105938.01b6d470@bobpinheiro.com.1>
X-Attachment-Id: 0.1
Content-Disposition: inline; filename="9faa15.jpg"

 

Received on Friday, 24 August 2007 17:13:21 UTC