My buddy Tom from MySpace (he’s probably your buddy, too) has a message for his users who have been subject to phishing scams: it’s your fault.
Phishing is the name given to the practice of making a web site that pretends to be another site in order to gain your credentials. For years thieves have been using this for serious damage, such as getting into bank accounts. It’s a big problem, one that browsers and sites themselves have been tackling.
Lately I’ve noticed a number of my MySpace friends sending me advertisements that I wouldn’t expect them to send. Likely, they had been phished. Tom decided to take action with a call to “protect yourself from phishing!” (color choice all his):
“Phishing is a trick people use to steal your email & password. It is not a “security” flaw, and you’re not getting “hacked.” It’s entirely preventable by you, if you know what to look for. “
I appreciate his position. It must be difficult to watch millions of his users fall prey to something that can, from his perspective, be so easily avoided. Lack of user education is definitely part of the problem (knowledge makes everything simpler, says the Laws of Simplicity). But he isn’t meeting users in the middle in this post. Even his “simple” solution sounds like a lot of work and is asking users to change their normal patterns:
“This all may sound complicated, but there’s a simple way to make sure you NEVER get phished. If you are ever clicking around MySpace and you are asked to login, don’t do it! STOP. Go to the URL bar in your browser, and type in ‘myspace.com’ and then login. If you always type in myspace.com yourself, you’ll be sure that you are on our real login page, and not some fake designed to steal your login credentials.”
Especially for a site as notoriously lacking in design as MySpace, they have to accept some of the blame. They have to come up with some sort of change on their end to become more phishing proof. They can’t expect a post so long most MySpacers won’t even skim it to make a significant impact. Most of all, there needs to be less “it’s not my fault” and more it’s all my fault.
I do see it as Tom shuffling off any responsibility of dealing with phishing.