I was looking at two fake e-mails today -- one from someone proporting to be Trion (Rift) who spelled World with two V's, and another pretending to be Blizzard. While the e-mail was caught, I saw a heuristic that is so simple -- that I can't believe it's not already implemented.

So there's this link, right? And it's an anchor element in the HTML version of the message. Now here's the check:

Does whatever is inside the anchor look like a URL?

See what they're doing is putting the real URL as the text in the anchor (http://battlebazaar.net), but then putting a different URL (http://battlebazaar.net.x=some-other-site.someother-tld.fake/string-o-garbage) in the HREF of the URL. This makes it so the URL that it shows in the e-mail is the real one, and when you click, that's what's displayed in the leftmost. Now, I've previously stated the web browsers should provide a separate box for the host, domain and path -- because doing so would greatly help with the phishing problem (because most people don't understand how the hostname or path work -- those are just magic values -- and so split them off so that the part they *do* generally understand is visible).

But what I'm going to say is this. There should never be a time, ever, where there's a URL pattern as text in a link and clicking that URL takes you anywhere other than what the text says. And so any message that ever has that pattern (an anchor element where the text is a URL pattern, http://whatever, www.whatever, etc.) and where the href doesn't match, should be deleted automatically. That simple step would go a long way (and splitting the address bar into three pieces -- host, domain and path as three separate bars -- would help even more).

Just FYI,

With Yahoo and several other providers, you can just enter the provider's address (yahoo.com, for example) as your OpenID, and it will redirect to Yahoo and prompt you for credentials.  This is a good feature if you want to use their long, obfuscated identifiers -- but don't want to remember them.  If you have multiple valid identifiers, it will let you pick which one to send back to the site.

I know it might seem like a good idea to whoever is designing your web page, but do not ever, for any reason, use the ubiquitous lock icon and put next to it “This site is secure.”  Think about it for a minute – if you don’t get “why shouldn’t I do this,” then keep reading.

Lets say I am a phisher, and pretend that I am trying to fake users into clicking your link.  Where is the one place they can safely look to be 99.97% sure that they have reached a secure site and, more importantly, have reached your site in particular?  The lock icon, built-into the browser.  On Internet Explorer 7 and 8, it’s shown up at the top of the window like this (many other browsers follow this same pattern as well):

That tells me that I am hitting gemoney.com.  It gives me an icon I can click on to see who thinks it is General Electric Company, like so:

Additionally, the bar changed color to tell me that it is an EV certificate, issued to corporation like banks, and that it met the requirements set forth for those kinds of certificates.

Now, here’s what you should never ever do coming up:

Just to show how safe it is:

“   This site is secure”

Instead what the should have there is, roughly:

“Look for the lock icon on your browser address or status bar, to be certain you are connected to our website.  On newer web browsers, the address bar should be green and should identify us as “General Electric Company.””

Do not duplicate browser UI that is going to identify if a site is secure or not in the web page.  When you do that, it makes it easier to lure users into submitting information to a fake website.  Instead, point them towards where the information appears on their browser, and have them look there.  Let the browser do its job and protect the user.

Also, I find it ironic that while PayPal Buyer Credit is run by GE Money Bank, you can’t pay it from your PayPal balance, and you can’t set up automatic transfers either way.  Just seems like if I were doing a credit service for PayPal, I would run the transfers both way.

The main paypal website links to Verisign instead of displaying this widget, and also includes the verisign site seal.  I don’t agree with the site seals either, incidentally, because they are also too easy to fake.