11 Mar 2008

Why teach a man to be phished?

Author: will | Filed under: BlogTalk 2008, Cork, information loss, Irish Blog Week, movie, multiple profiles, social media, social network, Social Network Portability

When you teach a man to be phished, he learns not to be alone. This is what happens on a lot of social networking sites. It was also the subject of a breakout session at the WebCamp Social Network Portability part of BlogTalk 2008 in Cork suggested by Stephanie Booth. Be warned, there will be name dropping ahead.

The entire genesis of the subject was the realisation by Leisa Reichelt that the way that social networking sites ask you for your e-mail account details and password are similar to phishing attempts to get your banking or credit card details. In short, they are asking for hightly sensitive details which it seems that people are a little too happy to hand over. In short they are encouraging irresponsible behaviour, and encouraging identity theft.

Is there responsible solution to this, Aral Balkan suggested that the solution may lie with an open source approach. Namely that a third party check the code used to collect the details in question and ensure its security. The main problem with this approach is that while you can endure that the data is collected correctly, there is no guarantee that the company collecting the details will be responsible with the collected details. Gabriela Avram explained her dealings, and problems with Shelfari. Or if a site collects 1,000 e-mail addresses there is no guarantee that it won’t spam them.

The root of the problem is that if you hand over your username and password, they (whoever “they” are) can interact with your account as you. A guest account may be a solution.

Oddly enough it appears that this type of solution exists. oAuth is an open protocol which allows a subset of data to be made available is a guest account type methodology. Or you can try out the “let me take a look at your e-mail addresses” type action by letting only 2 or 3 addresses be seen by the other site. And then you can see if the site abuses those addresses.

But this way, the new site does not get the password for the other site. So if any action takes place, it is not the site performing any actions as you. So its a little more secure.

And more to the point, you aren’t training users to be phished.

But if you would like to send me your bank or credit card details; feel free to e-mail them to me.

take care,
Will

Tags: , , ,

4 Responses to “Why teach a man to be phished?”

  1. Jure Cuhalev Says:

    Just a quick note that a few days ago Google released their Contacts API which in large part solves the ‘password part’ of phishing anti-pattern – http://code.google.com/apis/contacts/ for @gmail accounts.

    But it doesn’t help with who do I want to mail it to, part of the problem.

  2. BlogTalk 2008 Summary at Cloudlands Says:

    [...] at; see also Mark’s vidcast), Salim Ismail, Stephanie Booth (1 , 2; thanks for the videos!), Will Knott, Phil Whitehouse (1, 2), Jure Cuhalev, Jan Schmidt, Donncha O Caoimh, Sven Latham, Ben Ward, and [...]

  3. Climb to the Stars (Stephanie Booth) » Flickr and Dopplr: the Right Way to Import GMail Contacts Says:

    [...] their e-mail). It’s high time for design to encourage responsible behaviour instead. As the discussion at WebCamp shows, we all agree that solutions need to be [...]

  4. Orange Link nous demande nos mots de passe: pas au point! — Climb to the Stars Says:

    [...] to their e-mail). It’s high time for design to encourage responsible behaviour instead. As the discussion at WebCamp shows, we all agree that solutions need to be [...]