Shostack + Friends Blog Archive

 

More on Using Email Like a Stupid Person

[Update: A less in-your-face version is Preserving the Internet Channel Against Phishers.]

There have been lots of good comments, both here and over at Nielsen Hayden’s Making Light. There’s a few points left dangling that I wanted to respond to further. Those are the “ignore the marketing department” view and the “train the customer view.” Clifton Royston (who also points to the “Phish or Phair” comparison site) sums up the first as:

So, if I may sum up, all that is needed is: to individually convince the management of thousands of banks and financial institutions across the United States to entirely ignore their marketing departments (who want to send HTML mail) and pay attention only to security specialists

That’s certainly one way to look at it. I think that the management of most large institutions is aware of the phishing problem, and they, along with their marketing departments know that they need to find a solution or risk losing the online channel. The alternative to solving the problem promptly is that more customers will do exactly what Eleanor does, and refuse to give an email address at all. So I don’t believe that this has to be “security versus marketing,” if security markets their suggestions better than calling marketing stupid people.*

The other point raised is skepticism over my suggestion “Train your users to expect short and simple messages.” Several folks point out that training end-users is hard. They are entirely correct. What I meant is regular, repeated messaging like the following:

For your safety online please bookmark BigBank. We will never ask you to click on a link, or send you flashy email. We will send you short notes when we need to communicate with you, asking you to login with your regular bookmark. Because con men have gotten so good at pretending to be us, we will always be brief and simple looking.

Clearly, that wording could use some work, but that’s the essence of what I suggest. With repetition and reinforcement, we could see phishing fall off. I have no complete answer to Josh D’s point about courier formatted HTML mail, except, “Use your bookmarks, Don’t click on links.”

One final question: I read somewhere an interesting analysis of Passmark usability.
(Passmark’s idea is that the bank and you share a picture, which the real bank will show you when you’re about to log in. The core of the analysis was that that happens in enough different ways that an attacker may be able to game it.) Is this familiar to any readers, and if so, can you tell me where it was? I’ve searched and come up blank. [Jason Axley points to David Cowan].

* With 20:20 hindsight, that was a dumb title for my posts: Calling the people who need to change “stupid” is a stupid way to start.

3 comments on "More on Using Email Like a Stupid Person"

  • Asteroid says:

    A random technical hack for e-mail programs might be in order. If:

    • the mail contains a link tag
    • the text of that tag is a URL
    • the url in the text does not match the src attribute of the tag

    then scream like hell. Not even close to a full solution, but it would sure help.

  • Jason Axley says:

    Adam, it was here that you saw that analysis of passmark:
    http://whohastimeforthis.blogspot.com/2005/07/easy-pickings-for-bank-robbers.html

    I’ve done my own analysis of the technology from what is publically known
    about it and I think that it has several problems to overcome. The
    “acting unpredictably” by design part adds to the problems significantly.
    A fun future problem that I forsee with Passmark is brute force spoofing
    of browser “identification” to avoid Passmark’s step-up authentication.
    Regards,
    -Jason

  • “Preserving the Internet Channel Against Phishers”

    I’ve updated the concepts first presented in “Don’t Use Email Like a Stupid Person” and “More on Using Email Like A Stupid Person,” to make them more palatable to readers. The new short essay is “Preserving the Internet Channel…

Comments are closed.