Re: New Use Case for W3C WSC

I don't know what version of Outlook you're using, or how you have it
configured, but I just launched Outlook 2003 and set up a mail account
(painful), clicked on an email, it had a http:// link, I clicked on it, and
up popped Firefox with that page. So I don't really know what you mean by
"an alt control sequence or clicking on a bar" - i just clicked the link and
it worked. Perhaps there's a problem with your configuration?

(I could install Office 2007 and try it out in the newer version of Outlook,
but I really don't have a great desire to spend my time doing that.)

On 8/24/07, Dan Schutzer <dan.schutzer@fstc.org> wrote:
>
>  I don't know if your assumptions are correct. I use Outlook and today
> when I get embedded links in my email, I am unable to open the link without
> going through an alt control sequence or clicking on a bar in the email
> chrome. So, I am already doing something like what has been described, and
> so are I suppose most of the current Outlook users
>
>
>
> Dan
>
>
>  ------------------------------
>
> *From:* public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
> *On Behalf Of *Ian Fette
> *Sent:* Friday, August 24, 2007 11:56 AM
> *To:* Bob Pinheiro
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: New Use Case for W3C WSC
>
>
>
> This is going to rapidly take me down a divergent path, but I shall follow
> said path anyways.
>
> One of the biggest problems I have with SBM is invocation. You can't
> really expect users to invoke SBM before clicking a link in their email,
> because when they're reading their email their browser might not even be
> open (except for all the wonderful gmail users out there ;-). But seriously,
> when you click on a link in Thunderbird or Outlook or Lotus Notes or
> whatever it is that you use to read email, that email program just knows
> that it's supposed to open that link in a browser (sometimes... if it has no
> clue, it might just shellexecute the URL and let the OS figure out what to
> do with it). Either way, unless the default browser is set to "Browser with
> SBM Mode Turned On", links from email are going to get loaded in non-SBM
> mode.
>
> So, let's now go back to your response. Let's say that the user is
> educated enough to understand that SBM should be invoked before visiting any
> banking websites. (I personally find this a troublesome assumption, but
> let's run with it). Is the user then supposed to start a web browser, enter
> SBM mode, and then cut and paste the link from their email? That's a
> usability disaster, and I doubt anyone would actually figure out that those
> steps were required. Even if a user opens a browser and starts SBM, clicking
> on a link in an email program would very likely just start a new browser
> window (probably without SBM enabled... and when a user is in SBM mode, do
> you really want links from external programs to be able to clobber the
> current window?).  In my mind, we're heading for a usability disaster here.
>
> Further, in your use case below, you're assuming a strong tie-in between a
> user's MUA (email client) and their browser, which is often not the case. In
> some cases the two are strongly tied together, but in many cases when an
> email client gets a URL and the user clicks on it, it just throws the URL to
> the operating system and says "deal with it". And we're already well down
> the path of suggesting extensions to MUAs (email clients) to do machine
> learning to detect possible bank-like emails, and I fear this is getting way
> out of scope of the WG...
>
> On 8/24/07, *Bob Pinheiro* <Bob.Pinheiro@fstc.org> wrote:
>
> I think there may be a tie-in here with Safe Browsing Mode.  Suppose the
> user is educated enough to understand that SBM should be invoked before
> visiting any banking websites.  Then upon seeing the email, the user should
> invoke SBM before clicking on the apparent banking link.  If that is done,
> then instead of displaying the ERROR 404 message, the user should see
> whatever is displayed by SBM when the user attempts to visit a non-safe
> website.
>
> But if it is true that "education does not consistently produce the
> results desired", then there may be numerous times when even users who are
> aware of SBM do not actually invoke it when they should; that is, before
> visiting banking websites.  So a question worth asking might be: can a
> user's browser be made "smart" enough to sense that a website that the user
> wants to visit might possibly be a banking website?  The user can easily
> sense this because the Use Case says that the email claims to be from the
> user's bank.    If the user's computer can somehow "read" the email header,
> it might display a message saying "I sense that you are attempting to visit
> a possible banking website.  However, it is possible that this is a
> fraudulent website.  Would you like me to invoke Safe Browsing Mode to
> prevent you from visiting a fraudulent site?"  The user could respond, Yes
> or No.
>
> Some sort of artificial intelligence that could read and interpret email
> headers might be needed, possibly triggered by certain banking-like keywords
> or phrases in an email header.  I don't know if such exists, or if it does,
> whether it is "ready for prime time" and would produce reliable results.
> But it might be one possible answer to the dilemma of needing to educate
> users to do certain things to protect themselves online.
>
> At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote:
>
>
>  We have two sections in wsc-usecasee that touch on education:
>
> http://www.w3.org/TR/wsc-usecases/#learning-by-doing
>
> http://www.w3.org/TR/wsc-usecases/#uniformity
>
> The first says that experience shows that while users learn, education
> does not consistently produce the results desired.
>
> The second cites on study that shows that education does not impact
> susceptability to phishing. It's possible that Brustoloni's latest shows
> that as well:
>
> http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf is more
> hopeful, but shows no transfer to "realistic" behavior, in a study or in the
> wild.
>
> I gather from the discussions with the usability evaluation folks, they
> believe they can address education.
>
> Personally, I'm not a believer in direct education, mostly because no
> one's brought up a single data point where users were directly educated to
> do something, and did it, even when they had options that were more
> attrractive for some reason (e.g. more familiar, easier).  All the
> promising anti phishing research makes sure that the secure option is the
> most attractive (or at least comparably attractive).
>
> On the other hand, I do believe that in circumscribed oganizations, like
> the military and large companies, a system of education, reward, and
> punishment can be (and is) set up to change user behavior. I would again
> refer to http://www.acsa-admin.org/2002/papers/7.pdf as showing an upper
> bound on how successful that can be with the option is not the most
> attractive (order of 30% of the overall population).
>
> I would be more comfortable with an education use case if we said more
> somewhere about how we'll come to terms with it. Do the usability evaluation
> folks know how we'll do that?
>
>           Mez
>
>
>
>
> [image: []]
> *New Use Case for W3C WSC*
> *Dan Schutzer *to: public-wsc-wg
>
> 08/24/2007 07:52 AM
>
>
> Sent by:*public-wsc-wg-request@w3.org*
> Cc:"'Dan Schutzer'"
>
>
>  ------------------------------
>
>
>
>
> I'd like to submit a new use case, shown below, that several of our
> members would like included. It looks for recommendations on how to educate
> customers who have fallen for a phishing email, and improve the type of
> response customers generally get today when they try to access a phishing
> site that has been taken down. I hope this is not too late for
> consideration.
>
> *Use Case*
>
> Frank regularly reads his email in the morning. This morning he receives
> an email that claims it is from his bank asking him to verify a recent
> transaction by clicking on the link embedded in the email. The link does not
> display the usual URL that he types to get to his bank's website, but it
> does have his bank's name in it. He clicks on the link and is directed to a
> phishing site. The phishing site has been shut down as a known fraudulent
> site, so when Frank clicks on the link he receives the generic Error 404:
> File Not Found page. Frank is not sure what has occurred.
> *Destination site *
>
> prior interaction, known organization
> *Navigation *
>
> none
> *Intended interaction *
>
> verification
> *Actual interaction *
>
> Was a phishing site that has been shut down
> *Note*
> * *
> Frank is likely to fall for a similar phishing email. Is there some way to
> educate Frank this time, so that he is less likely to fail for the phishing
> email again?
>
>
>
>
>
>