Category: security

Email users getting more Paranoid?

Published on by paranoidmike1 Comment

I read an article today about email & phishing, and I’m actually heartened by the same news that the reporter seems to take as pessimistic:
Is it ‘lights out’ for e-mail?

It says that, according to the MailFrontier Phishing IQ Test, email users can correctly identify phishing attempts 82% of the time. They also report that users falsely identify “legitimate” email as a phishing attempt 48% of the time. [Note that this is based on a set of “test” emails, not on the test subjects’ own email inboxes.]

While the writer (Anne Bonaparte, CEO of MailFrontier) seems to believe this means that people’s use of email may be on the decline, I think this is a sign that people are finally treating email as they should: not unlike other forms of spontaneous contact from the outside world.

My wife even forwarded me an email yesterday that looked pretty phishy – an invitation to join a market research survey group, sent by some third party on behalf of Microsoft. Having worked there, my read of it is that it actually *was* legit – I’ve seen plenty of feedback over the years on these marketing-driven email campaigns that – despite all of the good security practices being preached inside Microsoft – still end up looking like they’re a security threat/spam/phishing attempt (when really they’re just poorly-thought-out third-party mass-mailings]. No harm done, just a little twinge on the Paranoid-o-meter, and I really think that’s a good thing.

If someone came up to your door that you’d never met and claimed to be from the IRS and wanted to come in and see your house, would you immediately believe them? What if you got a piece of mail that said it was your bank and that you had to leave your ATM card and PIN # in a mailslot at some odd address?

I for one am glad that people are getting more skeptical about the stuff that floods their inboxes. I live a great deal of my time in my inbox, and I have gotten pretty good at sniffing out illegitimate contact among the hundreds of messages I receive every week. [Fifteen years of jealously guarding my online privacy and trust will do that to a fellow I guess.] I’m glad that others are taking a healthier attitude towards unsolicited email, and I hope this means that they’re wising up that just because someone says something doesn’t immediately make it true.

Personally, I think that people are a little too trusting of people in positions (or illusions) of authority – often believing outright the claims of news reporters, people in uniform, political figures and other “strangers” just because they have the look and mannerisms (or the claimed position) of authority. I will defer to legitimate authority as much as is wise in this day and age (I am a Canadian living in the US, after all), but it disturbs me to think that people around me would have believed any claim that winds up in their inbox.

I think it had to do with the magical nature of computers (for most people) – they don’t know how they work, they don’t understand how fallible the people are that create the hardware & software, and just how riddled with flaws and humanity these whirring beasts really are. It’s like when I tell people about how insecure all the banks are for whom I’ve worked – it shocked me at the first one, and became expected by the third, and now I understand just how thin the ice is on which our finances skate.

Same with email, and thankfully as people have more exposure to it, and see more and more what the latest news report says about what you can and can’t trust, they are starting to see through to the other side of that thin ice, and are treading more carefully.

So what if you delete a few legitimate emails? Your life will rarely end if you don’t get that message – most people, next time they meet up, will nearly always say “Did you get my email?” anyway. Or they’ll re-send the email if they haven’t heard back. Or they too will forget about what they sent, as there’ve been another 200 emails (spam, phishing, and real communications) since the time they sent that email you might’ve inadvertently (or intentionally?) deleted.

It’s a big world, and no email is an island. Especially the ones that promise you a free vacation on one.

P.S. I scored 60% on the Phishing IQ Test II, so what do I know?

InfoCard – how is this different (in function, not in form) from MS Wallet, Passport and/or any of the dozens of "form filler" applications?

Published on by paranoidmikeLeave a comment

Microsoft to flash Windows ID cards

I’m trying to understand what the heck “new” is being offered here…

  1. InfoCard will install a secure “store” (which can contain identity and payment info, among other things) on your PC.
  2. I presume that the whole InfoCard “store” will be password-protected (as is de rigeur for consumers, even in these heady days of security), though perhaps they’ll offer the option integrating things like the MS Fingerprint Reader, a smart card or some form of USB smart device [for those few consumers who actually care enough about security to bother with all the hassle this’d bring].
  3. Presumably you’ll be asked to input each of your credentials and your credit card information into the software.
  4. When a user then visits an online service that asks for InfoCard-compatible versions of either (a) one of the authentication credentials the user’s stored in their InfoCard “store” and/or (b) payment information, the user will be prompted for their InfoCard “master password” (hopefully every time their InfoCard store is about to give out this information), and then the InfoCard store will use whatever Web Services communications protocols to securely communicate the consumer’s information to the site.

What is so revolutionary about this, you might ask? Compare this to the typical “form filler application”:

  1. The form filler app installs a secure “store” (to contain identity and payment info) on your PC.
  2. The form filler app asks you to establish a “master password” to protect anything it adds to its “store”.
  3. You’re asked by the form filling application whether you wish to add any creds it’s just observed you type (into a web form) into its secure “store”. You can also pre-fill identity information (one or more sets) into the form filler app, to be auto-filled later into web forms.
  4. When a user then visits an online service that asks for either (a) one of the authentication credentials the user added to the app’s “store” and/or (b) payment information, the user is prompted for their “master password” [which can then be cached for a specified period of time], and the browser then submits this information to the web site using whatever communication protocols were established (usually, SSL/TLS).

So as near as I can tell, the InfoCard user experience for web surfing fundamentally boils down to the Web Services “format” for communicating this sensitive information from consumer to web site.

Colour me skeptical. Sure, in a few years, most web sites will have one or more Web Services communications & security engines built into it, and by that time, the pressure for “current” approaches to communicating this information consistently & securely will be heightened. However, I guess I’m not clear on what InfoCard buys the consumer (who presumably will have to adopt this technology in droves) *today* over and above the current “good enough” approaches for storing & communicating this information – and until there’s a clear consumer benefit, watch people not bother in droves. [I’m sure *I’ll* download it as soon as it hits the web and play around with it, but I’m still a bit “sick in the head” with my love for trying the new stuff out…]

As well, I’m not sure what will compel the web services application vendors, and their customers (the web application programmers and architects) to adopt the Microsoft “InfoCard” approach over the growing number of identity-integration technologies that are becoming available. [Or maybe under the hood, “InfoCard” is just a friendly name for an implementation of a WS-*-compliant client, and any server that speaks WS-* will be immediately capable of interpreting the output from the InfoCard client…]

You know what would be a brilliant integration? If this were wired in tightly with the MSN Toolbar, so that its form-filling feature could adapt over time to add these capabilities without requiring the MSN consumers to adopt yet *another* piece of technology, at ever-decreasing return-on-effort.

I’m also intrigued by the promised integration of X.509 creds into the InfoCard client – will this be natively interoperable (integrated) with the current CAPI store of X.509 creds already available in Windows? Will this make X.509 more accessible to consumers, without watering down the benefits of “strong authN” to the point where it’s really no better than a password or an email address? And, are they considering integration with RMS and their XrML-based identity assertions (which are the more logical entry point for Web Services, if only because an RMS “account certificate” already uses XrML to format the identity “message”)?

There’s a bit more detail (including mention of the “WinFX” dependency of the InfoCard client) here.

Bottom line: This is something to keep an eye on for your B2C projects, but I’ll continue to seek out additional authentication & identity technologies for the enterprise space until I get a stronger understanding of this…