RE: New Use Case for W3C WSC from michael.mccormick@wellsfargo.com on 2007-08-30 (public-wsc-wg@w3.org from August 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Thu, 30 Aug 2007 16:56:13 -0500
To: <ifette@google.com>, <public-wsc-wg@w3.org>
Cc: <dan.schutzer@fstc.org>, <todd.inskeep@bankofamerica.com>, <dixonom@wellsfargo.com>, <rudolphm@wellsfargo.com>
Message-ID: <9D471E876696BE4DA103E939AE64164D250F55@msgswbmnmsp17.wellsfargo.com>

Indeed.  But solution difficulty shouldn't be a factor in determining
the validity of a use case or requirement.
 
Fwiw I don't think the problem is intractable.  For instance, a list of
takedown URLs could be maintained & published by appropriate law
enforcement authorities, which browsers would consult to determine
whether to display an educational page instead of the standard 403
error.
 
Mike

  _____  

From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Ian Fette
Sent: Friday, August 24, 2007 10:26 AM
To: public-wsc-wg@w3.org
Subject: Re: New Use Case for W3C WSC


The problem is that it's difficult (perhaps impossible) to, in the
browser, distinguish between "This was a phishing site and now it's
gone" and "This is just a page that's not here". It's possible that the
URL has made it on to a blacklist, in which case then the browser might
have this information, but dead URLs are not always maintained on
blacklists...


On 8/24/07, Timothy Hahn <hahnt@us.ibm.com> wrote: 


	Dan, 
	
	FWIW, I like the use case below.  It points out an opportunity
for educating people as they traverse to something that has been
addressed (or so it appears) by "someone/thing out there".  The current
status-quo is that they receive an error that is indistinguishable from
something they get if they, themselves, did something wrong (like
mis-type a URL). 
	
	Regards, 
	Tim Hahn
	IBM Distinguished Engineer
	
	Internet: hahnt@us.ibm.com
	Internal: Timothy Hahn/Durham/IBM@IBMUS
	phone: 919.224.1565     tie-line: 8/687.1565
	fax: 919.224.2530
	
	
	
	
From: 	"Dan Schutzer" <dan.schutzer@fstc.org> 	
To: 	<public-wsc-wg@w3.org> 	
Cc: 	"'Dan Schutzer'" <dan.schutzer@fstc.org> 	
Date: 	08/24/2007 07:50 AM 	
Subject: 	New Use Case for W3C WSC	

  _____  

	
	
	
	I'd like to submit a new use case, shown below, that several of
our members would like included. It looks for recommendations on how to
educate customers who have fallen for a phishing email, and improve the
type of response customers generally get today when they try to access a
phishing site that has been taken down. I hope this is not too late for
consideration. 

	Use Case 

	Frank regularly reads his email in the morning. This morning he
receives an email that claims it is from his bank asking him to verify a
recent transaction by clicking on the link embedded in the email. The
link does not display the usual URL that he types to get to his bank's
website, but it does have his bank's name in it. He clicks on the link
and is directed to a phishing site. The phishing site has been shut down
as a known fraudulent site, so when Frank clicks on the link he receives
the generic Error 404: File Not Found page. Frank is not sure what has
occurred. 
	Destination site 

	prior interaction, known organization 
	Navigation 

	none 
	Intended interaction 

	verification 
	Actual interaction 

	Was a phishing site that has been shut down 
	Note 
	  
	Frank is likely to fall for a similar phishing email. Is there
some way to educate Frank this time, so that he is less likely to fail
for the phishing email again?

Received on Thursday, 30 August 2007 21:57:16 UTC