User Trust Fail: Google Chrome and the Tech Support Scams

I act as the volunteer support structure for a significant number of nontechnical — but quite active — Internet users. Some of these are quite elderly, which makes me quite sensitive to where Internet firms are falling down on the job in this context. 

Let’s face it, these firms may pay lip service to accessibility and serving all segments of their users, but in reality they typically tend to care very little about users who aren’t in their key sales demographics, and who (while often numbering in the millions or more) aren’t considered to be their “primary” users of interest.

We see this problem across a number of aspects (I’ve in the past frequently noted the problems of illegible fonts and poor user interface designs, as my regular readers well know).

But today I’d like to focus on just one, where Google really needs to more aggressively protect their users from some of the most dangerous criminals on the Internet.

I’m referring to the ubiquitous “tech support” scams (often based in India) that terrify users by appearing on their browsers — often the result of a contaminated site link, a “cold” phone call, or very often a mistyped URL — who then falsely claim that the user’s computer is infected with malware or somehow broken, that you must click HERE for a fix, or you must immediately call THIS 800 number, and BLAH BLAH BLAH.

The vast majority of these follow a common pattern, usually claiming to be a legit tech support firm or often Microsoft itself. 

Once users are pushed into contacting the scammers — who typically focus on Windows computers — the usual pattern is for them to walk the unsuspecting user through the installation of a remote access program, so that the scammer has free reign to suck the user’s credit card and bank accounts dry via a variety of crooked procedures. Their methods are typically tuned especially well to take advantage of elderly, nontechnical users.

It’s not Google’s fault that these criminals exist. However, given Google’s excellent record at detection and blocking of malware, it is beyond puzzling why Google’s Chrome browser is so ineffective at blocking or even warning about these horrific tech support scams when they hit a user’s browser.

These scam pages should not require massive AI power for Google to target.

And critically, it’s difficult to understand why Chrome still permits most of these crooked pages to completely lock up the user’s browser — often making it impossible for the user to close the related tab or browser through most ordinary means that most users could reasonably be expected to know about.

The simplest cure to offer in these situations (especially when you’re trying to help someone on the other side of the country over the phone) is to tell them to reboot (if the user isn’t already so flustered that they’re having trouble doing that) or to power cycle the computer completely (with the non-zero risk of disk issues that can result from sudden shutdowns). 

Even after that, users need to know that they must refuse Chrome’s “helpful” offer of restoring the old tabs after the reset — otherwise they can easily find themselves locked into the offending page yet again!

Chrome is now the world’s most popular browser, and Google’s Chrome team is top-notch. I am confident that they could relatively quickly solve these problems, if they deemed it a priority to do so.

For the sake of helping to protect their users from support scams — even though these users are often in demographic categories that Google doesn’t seem to really care that much about — I urge Google to take immediate steps to make it much more difficult for the tech support criminals to leverage the excellent Chrome browser for evil purposes.

–Lauren–

The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

IETF’s Stunning Announcement: Emergency Transition to IPv7 Is Necessary!

Frostbite Falls, Minn. (NOTAP) In a brief announcement today that stunned Internet users around the world, the Internet Engineering Technical Force proclaimed the need for an “emergency” transition to a yet to be designed “IP version 7” protocol, capable of dealing with numeric values up to “a full gazillion at a minimum.”

IETF spokesman David Seville explained why this drastic move was considered necessarily when the ongoing transition from IPv4 to Internet protocol level IPv6 — the latter with a vast numbering capability — is still far from complete.

“Frankly, we’re just trying to get ahead of the curve, for once in the technology field,” said Mr. Seville. “With the dramatic rise in the number of hate speech and fake news sites around the world — not only originating in the Soviet Uni … I mean, Russia — we can’t risk running out of numbering resources ever again! Everyone deserves to be able to get these numbers, no matter how vile, racist, and sociopathic they may be. We’re already getting complaints regarding software systems that have overflowed available variable ranges simply trying to keep track of Donald Trump’s lies.”

Asked how the IETF planned to finance their outreach regarding this effort, Seville suggested that they were considering buying major ad network impressions on racist fake news sites like Breitbart, where “the most gullible Internet users tend to hang out. If anyone will believe the nonsense we’re peddling, they will!”

In answer to a question regarding the timing of this proposed transition, Seville noted that the IETF planned to follow the GOP’s healthcare leadership style. “We feel that IPv4 and IPv6 should be immediately repealed, and then we can come up with the IPv7 replacement later.” When asked if this might be disruptive to the communications of Internet users around the world, Mr. Seville chuckled “You’re catching on.”

David Seville can be reached directly for more information at his voice phone number: +7 (495) 697-0349.

– – –

–Lauren–

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

My Mock-Up for Labeling Fake News on Google Search

Here is my mock-up of one way to label fake news on Google Search Results Pages, in the style of the Google malware site warnings. The warning label link would go to a help page explaining the methodology of the labeling.

 

I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Biting the Bullet: It’s Time to Require 2-Factor Verified Logins

For years now, security and privacy professionals — myself included — have been urging the use of 2-factor authentication (aka 2sv, 2-step authentication, 2fa, multiple factor, etc.) systems for logging into Web and other computer-based portals. Regardless of the name, these authentication systems all leverage the same basic principle — to gain access requires “something you know” and “something you have” — broadly defined. (And by the way, the inane and insecure concept of “security questions” doesn’t satisfy the latter category!)

The fundamental point is that these systems require the provision of additional information beyond the traditional username and password pair that have long demonstrated their frail natures as used by most persons.

Even if you don’t engage in notably bad password practices like sharing them among sites or laughingly weak password choices, usernames and passwords alone are incredibly vulnerable to basic phishing attacks that attempt to convince you to enter these credentials into (often very convincing) faked login pages. 

The lack of widespread adoption of 2-factor systems has been the gift that keeps on giving to crooks, scam artists, Russian dictators, and a long list of other lowlife scum. The result has been what seems like almost daily reports of system penetrations and data thefts.

Are 2-factor systems foolproof? No. There are a wide range of technologies and methodologies that can be used to implement these systems, and they vary significantly in theoretical and practical security effectiveness. But despite some critics, they all share one thing in common — they’re all much better than just a bare username and password alone!

Choices for 2-factor systems include text messages, automated voice calls, standalone authentication apps and devices, USB/NFC (e.g. FIDO U2F) crypto keys, and even printable key codes. And more.

With all of these choices, why is there so comparatively little uptake of 2-factor systems in the consumer sphere (in the corporate sphere there has been more, but not nearly enough there either).

Why don’t most users take advantage of 2-factor systems? There are two primary, interrelated reasons.

First is the psychology of the problem. Most people just don’t believe in their gut that a breach is going to happen to them — they feel it’s always going to be someone else. They just don’t want to “hassle” with anything additional to protect themselves, no matter how frequently we urge the use of 2-factor.

It’s much the same kind of “it won’t be me” reasoning that leads most people to not appropriately backup the data on their home (or often their office) systems.

Of course, once their account is breached or their disk crashes, they suddenly care very deeply about these issues, and people like me get those 3 AM calls where we have to bite our tongues to avoid saying “Well, I told you so.”

However, it would be unfair to blame the users entirely in this context, because — truth be told — many 2-factor implementations suck (that’s a computer science technical term, by the way) and are indeed a genuine hassle to use.

Some require the use of text messages (not everyone has a text message capable phone, as the Social Security Administration learned in their incompetent recent aborted attempt to require 2-factor authentication). Some require that you receive a new authentication token every time you login (overkill for most ordinary consumers) — rather than remembering that a given device has already been authenticated for a span of time. Some are slow. Some are buggy. Some screw up and lock users out of their accounts.

The bottom line is that a lousy 2-factor system is going to drive users batty.

But that’s not an excuse, because it is possible to do 2-factor in a correct and user-friendly manner, with appropriate choices for consumer and business/organization requirements.

By far the best 2-factor implementation I know of is Google’s. Their world class privacy/security teams have for years now been deploying 2-factor with the full range of choices and options I noted above. This is the way it should be done.

Yet even Google has to deal with the “it won’t happen to me” mindset syndrome on the part of users.

This is why I am now convinced that at least the major Web firms must begin moving gradually toward the mandatory use of 2-factor methods for users accessing these sites.

Just as responsible websites won’t permit a user to create an account without a password, and many attempt to prevent users from selecting incredibly weak passwords, we must start the process of requiring 2-factor use on a routine basis, both for the protection of users and of the companies that are serving them — and for the protection of society in a broader sense as well. We can no longer permit this to be simply an optional offering that vast numbers of users ignore.

This will indeed be a painful bullet to bite in some important respects. Doing 2-factor properly isn’t cheap, but it isn’t rocket science either. High quality commercial, proprietary, and open source solutions all exist. User education will be critical. There will be some user backlash to be sure. Poor quality 2-factor systems will need to be upgraded on a priority basis before the process of requiring 2-factor use can even begin.

It’s significant work, but if we care about our users (and stockholders!) we can no longer keep kicking this can down the road. 

The sorry state of most user authentication systems that don’t employ 2-factor has been a bonanza for all manner of crooks and hackers, both for the ones “only” seeking financial gain and for the ones seeking to undermine democratic processes. 

The deployment and required use of quality 2-factor systems won’t completely seal the door against these evil forces, but will definitely make their tasks significantly more difficult. 

We can no longer accept anything less.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

The Scary Part is …

The scary part is that Donald Trump’s juvenile ranting makes this bozo seem adult and stable by comparison.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!