« Announcing Strict-Transport-Security Support on www.paypal.com | Main | Strict Transport Security presentation »

December 04, 2009


Feed You can follow this conversation by subscribing to the comment feed for this post.

Randy Abrams

Hi Michael,

You state "Because of our status, we’re also used often used as an example of whatever particular idea an individual security researcher is arguing for."

the fact is that many in the security community advocate not having links in email from financial entities, or many online services.

Yes, a small percentage will still click on the link. There isn't a 100% solution, but if you can make a significant impact then it is often worth it. That's where cost comes into play.
HTTPS is encryption, not security. The bad guys sometimes use HTTPS. It is a false sense of security if a user is taught to believe that HTTPS=Legitimate.

"(“Log on, go to your transaction history page, scroll forward three pages, go to the transaction three quarters of the way down the page …”"

I suspect that most users looking at transaction details are looking for very recent ones that appear near the top of their page in most cases. There are other solutions, such as giving transactions a unique identifier and allowing a search function. Yeah, security is often a bit less convenient, but sometimes it's the right thing to do.

I agree that the false positive on the email was a fairly harmless error. Completely harmless in my case, but it could be troubling and confusing to a technically naive user. I too am far less worried about the false positive rate than the false negative rate, but it does illustrate the point of the challenges of teaching users to spot a real phish. You have a highly sophisticated system written by experts that uses rules to identify real and fake phishes. If this system makes a few mistakes, imagine how many mistakes normal users are going to make. That's why I advocate teach behavior over identification. The simple behavior is don't click on links to financial institutions, and other online accounts. A blanket rule that a legitimate PayPal email never contains a link reinforces the behavioral education and makes it much simpler to understand for the normal user.


Very interesting!

You say "we’ve researched it extensively.." Can you say more about what research means in this context? If I recall correctly, your phishing paper presents a rigorous analysis of the problem, but doesn't present a lot of empirical data.

Did you do controlled user studies to see if your conclusions held, at least in test situations?

Randy Abrams

A correction...

You state:

"We have indeed done a number of things around consumer education. Our first rule – which Mr. Abrams indeed followed –“forward uncertain PayPal e-mails to [email protected]” is generally a very good one."

I did not follow this advice. I did not submit a suspicious email. I submitted a known legitimate email to PayPal and commented that it had problems.

The comments to this entry are closed.