May 2012
An Interesting Recount (15 May 2012)
Another Company Doesn't Understand Phishing (18 May 2012)
Update on Hand Recount (30 May 2012)

Another Company Doesn't Understand Phishing

18 May 2012

It’s happened again: another reputable company just sent me an email with a link to click on, at which point I’m prompted for my login and password. This is exactly the sort of behavior that trains people to respond to phishing emails. I’ve complained about this sort of behavior before; I’m sure this won’t be the last time I have to.

This time it was Nest: they want to "confirm" my email address. So — they sent me email with a link saying "Verify your email", at which point I’d be taken to some URL with a lot of random-looking characters in it. It was legitimate; it even used https so I could check the certificate. (Why did I even respond to an unsolicited email like that? The Nest app on my iToy started displaying a button "resend email verification message"; I tapped that to induce a second — and identical — message. Since I had initiated that request, the message was much more believable.) But I wasn’t logged in, so I received a login prompt.

This is the wrong way to do things! The instructions in the email should have said "log in to your Nest account, then click this button" — and if you click it without being logged in, you should get a page without hyperlinks that says "please log in first and retry". That’s a safe way to do things, and it doesn’t teach people bad habits.

Tags: security
https://www.cs.columbia.edu/~smb/blog/2012-05/2012-05-18.html