Friday, April 25, 2008

Phishing Scams - What's Old is New Again

The amazing thing about crime is that criminals continue to perpetuate the same old scams, with remarkably good results, time and again.


I just finished reading "The Rescue Artist" this morning - the story of the recovery of Munch's "The Scream", post its theft from an Oslo museum in 1994. It's a good read. But what stands out is the number of times criminals have perpetrated exactly the same crime against exactly the same asset, with outstanding results.

An example: The most valuable paintings shown in Russborough House, a private gallery outside of Dublin, have been stolen four times in twenty years - from exactly the same hooks on the wall. No doubt the police and insurers have advised the owners several times as to the weaknesses in their systems. Yet the crimes keep being committed.

Like other security companies, Authentium has a number of antiphishing partners and approaches, including interception and user education. The challenge seems to be that as far as user education is concerned, the lure of gain will ensure the crimes keep on being committed, over and over again.

Case in point: Today, I received an email from The Camelot Group PLC, Operators of "The Uk National Lottery" (note lower case "k"), informing me that I have won over $1.2m.

Reading through the phishing email, I had the feeling that I was viewing an extremely amateurish "first time" output of a phishing kit. The obvious grammatical issues and bad use of cut and paste stood out like beacons.

But even though it reeked of a scam, I knew that someone somewhere was busy sending in their personal details to the hackers. Half a million pounds is a lot of money. Which is why this stuff keeps working, and will continue to keep working for years to come.

Note: We have a new beta phishing interception approach scheduled for release on May 22nd that will provide users with a much better feedback mechanism than currently exists. Stay tuned.

Saturday, April 12, 2008

UAC Is Not Terrible

David Cross, a product guy at Microsoft, today came out and admitted what all of us Vista users already know - UAC was designed to be annoying.

But let me buck the trend here for a second. I don't think UAC is anywhere near the devil people are making it out to be.

Sure, there are things about Vista that I don't like (does the redesigned folder hierachy drive anyone else nuts?), but I'm actually a fan of the UAC, and as a power user - someone who uses more than five apps for more than five hours a day - I get to see a lot of it.

Here's why I'm a fan: as a warning system, it works. When UAC is in focus, you can't miss it. It forces you to make decisions. It talks to you using language that I think is well-chosen for users at any level:

Don't run this program unless you know where it's from, or you've used it before.

In my experience, user interfaces rarely include instructions that are this well thought-out, in terms of conveying precisely what the user needs to consider in their action.

I'd love to know who came up with this line. I wish all UI's could contain instructions this clear. Unfortunately, few do. Most are written by people with far too much knowledge in how their systems work. Most UIs interface badly.

Many moons ago, long before co-founding Authentium, I got a grounding in user interface design working with the extremely smart folks at KRDL in Singapore, then MIT's sister lab in Asia. A lot of folks were extremely generous with their knowledge there, and over the course of being around them, I got a lot of advice and also got handed a lot of papers from over thirty years of research into UIs.

Much of the research in the area of user interface design over the past thirty years is well summed up in the book "The Media Equation". This book is a masterpiece of simplification when it comes to user interaction with machines, and they boiled the results down simply:

* Users prefer bigger displays over smaller displays
* Users prefer active video over inactive video
* Users like interacting with video using graphic displays
* Users prefer menu hierarchies that visually reflect the importance of each level
* Users rely on audio for narrative, video for context (users hate discontinuous audio)

On the subject of trusted user interfaces, UAC does almost everything right. It presents itself as a global, or overarching warning system (the most effective kind of warning - as with the severe weather alerts we get in Palm Beach, you are forced to pay attention), it presents a clear and logical explanation of what the user should consider in taking their next action, it presents a limited number of options, it disables screen-capture or outside manipulation of the control, and the frequency of display is entirely up to developers.

I know I'm going to get emails from friends and colleagues on this, but given the amount of increasingly bad malware out there, I personally thing UAC was a smart inclusion for the world's most widely-distributed operating system.

Now, about those folder icons... ;-)

Note: One of my favorite stories about the relative important of video and audio in user interface design for narrative media involves Thai Kick Boxing. Once, in Vietnam for WorldSpace, I met a man who told me about makeshift village cinemas that were being run up-country in Laos - primarily so people could keep up with the latest kick-boxing champions.

He described a shack with a dirt floor and the snowy screen of a black and white television in one corner - a television that was running off a bank of car batteries. He said, often times the video reception was so poor, you could barely make out the participants at all - but he said, so long as the audio was clear, people would not demand their money back.