On Wed, 29 Nov 2006, Larry Seltzer wrote: > >>> We (PCMag) tell them if they get an e-mail from a vendor or a bank > or > >>> whatever and they're curious about it to go to the site through > their > > > Not good enough. You're putting the burden on the user - you're > > expecting her to be curious about it, and why should she? > > They're really separate issues, aren't they? The question is what does > the user do if a suspicious e-mail makes it through to their inbox. They > have to make a decision.
There's this question - how does a user decide whether an email is suspicious? > >>> normal bookmark or by typying in the URL and to check their account > on > >>> the site that way. > > > That's good advice. Do you also tell them, if that doesn't reveal a > > problem, that they shouldn't then click on the link in the email? Or > > do you regard that as too obvious to mention? > > We say never click on links in e-mails from merchants/banks, etc. > Instead go to the web site through your bookmarks, etc. That's good > > You might be able to ascertain that with 99% certainty, but Aunty Gi > > can't. She should tell her bank that all communications with her > should be on paper. > > > The problem is, the banks aren't sophisticated enough to use computers > to > > communicate with their customers. > > Aunty Gi may end up not being able to access her accounts online for a > few days because of such a policy. I would tell Aunty Gi, not to access her accounts online. > There are things banks can do to authenticate themselves in e-mail. A > message I got from Bank of America last night, notifying me of a direct > deposit into an account, was individually addressed to me by name and > e-mail address, identified the account by the last four digits of the > account number, and all of the information in it could be confirmed by > logging into the account through other means. There were no links in the > message except to standard landing pages like www.bankofamerica.com. > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blog.eweek.com/blogs/larry%5Fseltzer/ > Contributing Editor, PC Magazine > [EMAIL PROTECTED] > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
