- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Fri, 24 Aug 2007 14:21:33 -0400
- To: Dan Schutzer <dan.schutzer@fstc.org>
- CC: "'Bob Pinheiro'" <Bob.Pinheiro@fstc.org>, public-wsc-wg@w3.org
Are you now saying that SBM will invoked for *all* non-EV signed email messages? Because then you've just turned SBM on its head: SBM gets turned on for mostly non-banking-related URLs, if we assume that all the banks will get EV certificates (which I'm not willing to concede). serge Dan Schutzer wrote: > If the email is signed by a special EV type certificate, the email client > can easily be smart enough to distinguish. And the user can be blocked from > accessing the link unless they type an SBM sequence. No AI is needed. > > It is extremely hard to distinguish from the content, especially since many > phishers now resort to images in order to escape content filters. > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On > Behalf Of Bob Pinheiro > Sent: Friday, August 24, 2007 1:55 PM > To: Serge Egelman; public-wsc-wg@w3.org > Subject: Re: New Use Case for W3C WSC > > > You seem to be saying that if a user's email client is smart enough > to determine whether an email *may* be from a bank, then the email > client can be made smart enough to actually distinguish between real > banking emails and fake ones. I'm not sure why one would necessarily > follow from the other. Do you have any papers/links that would > explain how this works? Thx. > > At 01:21 PM 8/24/2007, Serge Egelman wrote: >> The issue is, if the software is intelligent enough to think that the >> message *may* be from a bank (and do this with a low enough false >> positive rate that users don't ignore it), then why not just >> automatically filter out the phishing message? Based on studies we've >> done with phishing detection, if a message can be categorized as being >> bank-related (either from a bank or a phishing message) or all other >> mail, it's then fairly straightforward to make a distinction between >> real bank messages and phishing messages. At that point we can alert >> the user to the phishing message fairly effectively. This is why I >> don't think the SBM mode is practical. >> >> serge >> >> Bob Pinheiro wrote: >>> Yes, there well may be an issue with users invoking SBM before clicking >>> a link in their email. That's why I proposed that one alternative might >>> be to remove that issue by making the user's computer (email client? >>> browser?) "smart" enough to sense that when an email might potentially >>> be from a bank, the browser could prompt the user and ask if SBM should >>> be invoked. So I am assuming some sort of "intelligent" link between >>> the email client and the browser, with the email client triggering the >>> browser to invoke a procedure for prompting the user to invoke SBM based >>> on some keywords or phrases in the email header. But is that so >>> wrong? It may not exist today - all I am suggesting is that it might >>> be one avenue to consider (and not necessarily by this group) as a way >>> to prevent users from visiting fraudulent banking sites by clicking on >>> email links if they haven't first invoked SBM. But this is getting of >>> the beaten track, I guess...... >>> >>> At 11:55 AM 8/24/2007, Ian Fette wrote: >>>> This is going to rapidly take me down a divergent path, but I shall >>>> follow said path anyways. >>>> One of the biggest problems I have with SBM is invocation. You can't >>>> really expect users to invoke SBM before clicking a link in their >>>> email, because when they're reading their email their browser might >>>> not even be open (except for all the wonderful gmail users out there >>>> ;-). But seriously, when you click on a link in Thunderbird or Outlook >>>> or Lotus Notes or whatever it is that you use to read email, that >>>> email program just knows that it's supposed to open that link in a >>>> browser (sometimes... if it has no clue, it might just shellexecute >>>> the URL and let the OS figure out what to do with it). Either way, >>>> unless the default browser is set to "Browser with SBM Mode Turned >>>> On", links from email are going to get loaded in non-SBM mode. >>>> >>>> So, let's now go back to your response. Let's say that the user is >>>> educated enough to understand that SBM should be invoked before >>>> visiting any banking websites. (I personally find this a troublesome >>>> assumption, but let's run with it). Is the user then supposed to start >>>> a web browser, enter SBM mode, and then cut and paste the link from >>>> their email? That's a usability disaster, and I doubt anyone would >>>> actually figure out that those steps were required. Even if a user >>>> opens a browser and starts SBM, clicking on a link in an email program >>>> would very likely just start a new browser window (probably without >>>> SBM enabled... and when a user is in SBM mode, do you really want >>>> links from external programs to be able to clobber the current >>>> window?). In my mind, we're heading for a usability disaster here. >>>> >>>> Further, in your use case below, you're assuming a strong tie-in >>>> between a user's MUA (email client) and their browser, which is often >>>> not the case. In some cases the two are strongly tied together, but in >>>> many cases when an email client gets a URL and the user clicks on it, >>>> it just throws the URL to the operating system and says "deal with >>>> it". And we're already well down the path of suggesting extensions to >>>> MUAs (email clients) to do machine learning to detect possible >>>> bank-like emails, and I fear this is getting way out of scope of the >>>> WG... >>>> >>>> On 8/24/07, *Bob Pinheiro* <Bob.Pinheiro@fstc.org >>>> <mailto:Bob.Pinheiro@fstc.org>> wrote: >>>> >>>> I think there may be a tie-in here with Safe Browsing Mode. >>>> Suppose the user is educated enough to understand that SBM should >>>> be invoked before visiting any banking websites. Then upon seeing >>>> the email, the user should invoke SBM before clicking on the >>>> apparent banking link. If that is done, then instead of >>>> displaying the ERROR 404 message, the user should see whatever is >>>> displayed by SBM when the user attempts to visit a non-safe > website. >>>> But if it is true that "education does not consistently produce >>>> the results desired", then there may be numerous times when even >>>> users who are aware of SBM do not actually invoke it when they >>>> should; that is, before visiting banking websites. So a question >>>> worth asking might be: can a user's browser be made "smart" enough >>>> to sense that a website that the user wants to visit might >>>> possibly be a banking website? The user can easily sense this >>>> because the Use Case says that the email claims to be from the >>>> user's bank. If the user's computer can somehow "read" the >>>> email header, it might display a message saying "I sense that you >>>> are attempting to visit a possible banking website. However, it >>>> is possible that this is a fraudulent website. Would you like me >>>> to invoke Safe Browsing Mode to prevent you from visiting a >>>> fraudulent site?" The user could respond, Yes or No. >>>> >>>> Some sort of artificial intelligence that could read and interpret >>>> email headers might be needed, possibly triggered by certain >>>> banking-like keywords or phrases in an email header. I don't know >>>> if such exists, or if it does, whether it is "ready for prime >>>> time" and would produce reliable results. But it might be one >>>> possible answer to the dilemma of needing to educate users to do >>>> certain things to protect themselves online. >>>> >>>> At 08:25 AM 8/24/2007, Mary Ellen Zurko wrote: >>>> >>>>> We have two sections in wsc-usecasee that touch on education: >>>>> >>>>> http://www.w3.org/TR/wsc-usecases/#learning-by-doing >>>>> >>>>> http://www.w3.org/TR/wsc-usecases/#uniformity >>>>> >>>>> The first says that experience shows that while users learn, >>>>> education does not consistently produce the results desired. >>>>> >>>>> The second cites on study that shows that education does not >>>>> impact susceptability to phishing. It's possible that >>>>> Brustoloni's latest shows that as well: >>>>> >>>>> http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf >>>>> is more hopeful, but shows no transfer to "realistic" >>>>> behavior, in a study or in the wild. >>>>> >>>>> I gather from the discussions with the usability evaluation >>>>> folks, they believe they can address education. >>>>> >>>>> Personally, I'm not a believer in direct education, mostly >>>>> because no one's brought up a single data point where users >>>>> were directly educated to do something, and did it, even when >>>>> they had options that were more attrractive for some reason >>>>> (e.g. more familiar, easier). All the promising anti >>>>> phishing research makes sure that the secure option is the >>>>> most attractive (or at least comparably attractive). >>>>> >>>>> On the other hand, I do believe that in circumscribed >>>>> oganizations, like the military and large companies, a system >>>>> of education, reward, and punishment can be (and is) set up >>>>> to change user behavior. I would again refer to >>>>> http://www.acsa-admin.org/2002/papers/7.pdf as showing an >>>>> upper bound on how successful that can be with the option is >>>>> not the most attractive (order of 30% of the overall >>>>> population). >>>>> >>>>> I would be more comfortable with an education use case if we >>>>> said more somewhere about how we'll come to terms with it. Do >>>>> the usability evaluation folks know how we'll do that? >>>>> >>>>> Mez >>>>> >>>>> >>>>> >>>>> >>>>> [] >>>>> New Use Case for W3C WSC >>>>> Dan Schutzer to: public-wsc-wg >>>>> 08/24/2007 07:52 AM >>>>> >>>>> Sent by: public-wsc-wg-request@w3.org >>>>> <mailto:public-wsc-wg-request@w3.org> >>>>> Cc:"'Dan Schutzer'" >>>>> >>>>> >>>>> >>>>> >> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> I'd like to submit a new use case, shown below, that several >>>>> of our members would like included. It looks for >>>>> recommendations on how to educate customers who have fallen >>>>> for a phishing email, and improve the type of response >>>>> customers generally get today when they try to access a >>>>> phishing site that has been taken down. I hope this is not >>>>> too late for consideration. >>>>> >>>>> Use Case >>>>> >>>>> Frank regularly reads his email in the morning. This morning >>>>> he receives an email that claims it is from his bank asking >>>>> him to verify a recent transaction by clicking on the link >>>>> embedded in the email. The link does not display the usual >>>>> URL that he types to get to his bank's website, but it does >>>>> have his bank's name in it. He clicks on the link and is >>>>> directed to a phishing site. The phishing site has been shut >>>>> down as a known fraudulent site, so when Frank clicks on the >>>>> link he receives the generic Error 404: File Not Found page. >>>>> Frank is not sure what has occurred. >>>>> Destination site >>>>> >>>>> prior interaction, known organization >>>>> Navigation >>>>> >>>>> none >>>>> Intended interaction >>>>> >>>>> verification >>>>> Actual interaction >>>>> >>>>> Was a phishing site that has been shut down >>>>> Note >>>>> >>>>> Frank is likely to fall for a similar phishing email. Is >>>>> there some way to educate Frank this time, so that he is less >>>>> likely to fail for the phishing email again? >>>>> >>>>> >>>> >>>> >>>> Content-Type: image/jpeg; name=9faa15.jpg >>>> Content-ID: <7.1.0.9.0.20070824105938.01b6d470@bobpinheiro.com.1> >>>> X-Attachment-Id: 0.1 >>>> Content-Disposition: inline; filename="9faa15.jpg" >>>> >>> >> -- >> /* >> Serge Egelman >> >> PhD Candidate >> Vice President for External Affairs, Graduate Student Assembly >> Carnegie Mellon University >> >> Legislative Concerns Chair >> National Association of Graduate-Professional Students >> */ > > > > > > > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Friday, 24 August 2007 18:22:40 UTC