Fabrizio Marana wrote: > As Ping points out in his blog, there are two steps in a typical phishing > attack: first the email message, then the website. So when the end-user > clicks on the link to the website, (s)he has already accepted an authority > twice. Unfortunately for us, the authority of the phisher...
I have found that many end users misinterpret the purpose of the dialogs that ask them whether to continue or stop. They completely fail to understand that the message is: We're giving you a chance to protect yourself from a potential bad guy and instead interpret the message as If you want to continue to do the thing you wanted to do, you must jump through this hoop by pressing "continue" now. IOW, they totally fail to comprehend WHY this "hoop" exists. They have no perception that they are being protected from potential evil by this. I found that users think that the browser is asking them to do something, and they obediently do what it asks. It says "press continue" and so they do. This is not just a browser problem. There are firewall products that attempt to stop previously unknown and unapproved programs from accessing the internet. They pop-up dialogs for such programs, asking the user whether to allow the program to proceed or not. Many users always approve everything, out of a sense of obedience. The "master" (computer) holds up the hoop and says "jump boy", and they jump. I think this is a UI problem. Perhaps if the buttons were labelled "Take me to the bad guy anyway" "protect me from this bad guy" they'd get it. > People being people and all end-users being dumb ;) we now have a steep > mountain to climb to win back the user's trust. Win back? I don't think we've lost any trust. > The KISS solution (Keep It Simply Stupid) to getting this message across in > the GUI is: > > 1/ Use a funky background and font colour: GMail uses a white font on a red > background. > > 2/ Use sound: An authorative voice telling the end-user "SECURITY WARNING! > You are being ripped off!" > > 3/ Use animation: An animated GIF of a wallet being drained of money. > > 4/ All of the above Two buttons: "rip me off", "protect me from the rip off" would undoubtedly change user responses. -- Nelson B _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
