Archive for December, 2018

Inviting Phishing: Stop Training People to Be Fooled

Sunday, December 2nd, 2018

As we try to tighten up our computer systems, in 2018, phishing feels like one of the most dangerous things. Sure, getting someone to open a dangerous attachment that exploits a PDF bug (is there an infinite supply?) is a problem, but let’s imagine users running on such tight systems that dangerous attachments are no longer a problem. Phishing won’t be over.

People will still be fooled by crooks, and if a crook walks up to you in nose glasses and politely asks for the keys to your car you might think something is funny. You do expect give your car keys to strangers, but you expect these people to be, say, the mechanic at the car repair, or the parking valet at the restaurant. The point is if you initiate the transaction (you go to get your car fixed, you go out to eat), the transaction is much safer. In contrast, if a stranger approaches you and volunteers to be a mechanic or valet, you are less likely to fall for it.

We should apply that to computer credentials. If I decide to go to website tuklever.com, it is reasonable for me to then type my TuKlever login credentials. But if some website claiming to be tuklever.com approaches me (via e-mail), why should I hand it my password (aka my “car keys”)? I shouldn’t.

A powerful way to avoid a lot of phishing attempts is:

Never (never ever) type credentials because someone else supplied you with a link, possibly in an e-mail.

Instead, if the link looks good, login to that website manually (type a trusted URL by hand, use a bookmark you typed by hand). Now log in. Now try that link in the e-mail–and if you are asked for another password, don’t do it.

This logic applies in other circumstances, too. Get a call from our credit card company about a suspicious transaction?, and that professional sounding voice asks for verification information from you? Say no, ask what it is about, say you will call back. Call what number? The number the voice on the phone gives you? No! Call the number on the back of your credit card. Same idea as the website example.

Back to my headline: We train people to do the dangerous thing.

  • Employees frequently get real e-mail from, say, HR, that includes links to, say, the new payroll system, and click and type in sensitive information.
  • For years now American Express has been sending me e-mails that include links to click on and an invitation fo type a password.
  • Other credit card companies–fraud departments even–have called me and expected me to give them identifying information.

In each of these cases we are conditioning people to do the dangerous thing. In each of these cases the safe thing to do and the normal thing to do are different. Do we really expect people to rock-the-boat, and refuse to log into the new payroll system, and not get paid?

No. We expect people to be phished, and we are training them for that.

I realize there is a heresy in what I am saying. I am implying that user behavior matters, that how we condition users matters. I am a hairsbreadth from suggesting that user education is a good thing! Horrors, the first step down the slippery slope of blaming the user for bad system design. Next thing you know I’ll make a snide remark about some celebrity caught on live camera entering the PIN 000000.

-kb

©2018 Kent Borg