Stop End-Users Before They Click Again on Risky Websites

You may need to wait a minute for another sucker to be born, but you can find one anytime you want online.

In a recent MIT-Harvard study to determine online gullibility, 36 percent of test subjects logged in to their online bank accounts despite being presented with a strong warning page saying that their bank site’s security certificate was not valid. Not one person noticed when HTTPS, the secure form of HTTP, was stripped away—they offered up their passwords anyway.

More On Cybercrime

How You Can Fight Cybercrime

How the Mob uses IT

What Adult and Gaming Sites Can Teach You About Innovation

A Brief History of Cybercrime

Although our instincts tell us that better education might have saved these users from themselves, there is a growing consensus among researchers that education will never stop many people from clicking when they shouldn’t. The problem, says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University, is one of focus. “When people go online, they are focused on other things besides security,” he says. “They want to pay their bills online or talk to their friends. People don’t pay attention to security clues online.” Even when, as in the MIT-Harvard study, they are reminded to pay attention to warnings.

Meanwhile, the kind of information that lulls victims into a false sense of security is still widely available online. In a 2005 study, Jakobsson was easily able to find the Social Security numbers and mothers’ maiden names of millions of Texans online. “When the e-mail comes with your mother’s maiden name already in there, it’s a lot easier to click,” he says.

So what to do? Some suggest issuing new passwords through small electronic fobs called tokens each time someone logs in to a site, or requiring account holders to verify withdrawals via a cell phone call. But both solutions are costly, complex and potentially inconvenient to customers. The best answer may be to relieve home computer users of responsibility for computer security.

Already, some ISPs are offering security software as part of their subscription pricing, judging that the extra cost is more than balanced out by reducing the risks they face from the pipe-clogging spam and malware. With 2.4 million unsecured broadband connections in the United States today, according to Consumer Reports, it may be time for the IT industry to face that consumers will never close the security gap by themselves. To the extent that end-user companies could be liable for their customers’ inaction, they need to weigh the risk of leaving the responsibility for managing security in the hands of customers who may never do it adequately.