As Ping points out in his blog, there are two steps in a typical phishing attack: first the email message, then the website. So when the end-user clicks on the link to the website, (s)he has already accepted an authority twice. Unfortunately for us, the authority of the phisher...
People being people and all end-users being dumb ;) we now have a steep mountain to climb to win back the user's trust. Milgram not only raised the issue that Ping is describing here, but also points us to a solution as he found out that when the immediacy of the victim was increased, compliance decreased. Therefore we are only faced with establishing a higher authority to the end-user then the one of the phisher in a way that can't be imitated. The KISS solution (Keep It Simply Stupid) to getting this message across in the GUI is: 1/ Use a funky background and font colour: GMail uses a white font on a red background. 2/ Use sound: An authorative voice telling the end-user "SECURITY WARNING! You are being ripped off!" 3/ Use animation: An animated GIF of a wallet being drained of money. 4/ All of the above :) Fabrizio "Florian Weimer" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > * Frank Hecker: > > > I thought this was an interesting blog post, with obvious implications > > for the issue of warning dialogs in Firefox, Thunderbird, etc. > > > > http://usablesecurity.com/2005/07/19/obedience-to-authority/ > > This is certainly a problem. The more significant issue (and I > believe it's been raised multiple times on this list) is that > all-too-common security warnings are not effective at all because > users tend to increase their productivity by blinding clicking away > warnings. > > Even Emacs' yes-or-no-p quickly becomes equivalent to y-or-n-p, at > least in my experience. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
