If you force your users to go through procedures that could be fraudulent, then fraudsters will use those same procedures.
Some cases to illustrate this.
Flash Player. For many years Flash Player has popped up windows on people's screens, encouraging us to click "here" to get the latest safest version. The obvious problem is that most people cannot tell that window from a window from a spurious webpage, pointing to a completely different webpage that contains malware. Don't force me to click "here" for crying out loud!
Microsoft's "unusual activity." I recently took a quick trip across the border into the next country. Microsoft noted that my mail account now was updated from another location 50 km away from home, which seemed suspicious to them. They sent me a mail to my iPhone saying that to "help keep you safe, we've blocked access to your inbox, contacts list, and calendar."And "To regain access, you'll need to confirm that the recent activity was yours." And to do that, I should click "here," following a link that led far away onto a web page that could or could not be spoofed, where I was supposed to enter my password. I'm pretty sure it was them. The link pointed to eur01.safelinks.protection.outlook.com, which redirected (!) to live.com, and I'm fairly sure both of those URLs belong to Microsoft. But I was not willing to take the risk, so I stopped using MS Mail temporarily, until I got back home and could securely sign in on a laptop to a URL I knew I could trust. Don't make me click "here"!
Apple's Calendar. I used to sync my MacOS Calendar application with my Google calendar - a fairly convenient thing to do. After the latest update, however, (MacOS 10.14.4), I got a notification telling me that I need to update my Google password in Safari. So I am supposed to click "here" on the notification to open System Preferences, where I get another "here" that leads to a secret URL, which I do not even see, in a browser I never use, and where I never configured the security to my liking. I wearily click "here," and Safari displays a window, where the address bar is hidden, so I cannot easily see which URL I have accessed, unless I take some more steps. There are so many shady new things here with links leading to places I have not been before. I can take time to verify each step and make sure everything is legitimate, and I would have to spend probably half an hour before being perfectly sure. Honestly, I prefer to switch off the sync. Don't make me click "here"!
Each of those procedures, where big companies encourage users to naively click "here" without any guarantee that the links are safe, makes it easier for hackers to convince people to click "here" on their malware windows.
Don't, please, don't, make us click "here"!
(In the examples above, the actual label on the button or URL is not always literally "here," but that is its meaning.)
No comments:
Post a Comment