Security Colours

I fell for a password phishing email once. The moment I clicked the login button I thought “Wow, I’m so trained to do this all you have to do is show me the button and I’ll click it.” I realised a split second later of course, and felt like an raging moron for not paying attention.

The thing is, why should you have to pay attention? Even if you’re not quite as dim as me, it still takes a little bit of mental effort to tell a well made fake email from the real thing, and it’s a lot harder if you’re not tech savvy enough (or too groggy from just waking up) to spot the warning signs. I think there’s a very simple addition to normal security measures that would make recognising fake emails and account pages universally effortless, while requiring no extra input from the average user.

When a new user signs up, they’re presented with a randomly chosen “security colour”. They can pick a different one if they prefer, and from then on the colour is displayed as a banner or badge on every official communication from the site.

I use Pirate Facebook, of course.

Security colour as a badge on an email.

The colour would be kept secret, like your password, so any potential phishers would have to guess at what colour to use. The actual way the colour is displayed could be styled a little to match the site, but as long as it’s used prominently and consistently enough to become part of the expected branding, an off-colour message would appear as obvious as one with the wrong logo or name.

3 Responses to “Security Colours”

  1. [...] This post was mentioned on Twitter by Chris Mear, David Mear. David Mear said: Good idea? Stupid idea? http://davidmear.com/2010/07/security-colours/ [...]

  2. Graham says:

    Roughly the same idea as Yahoo sign-in seals:
    http://security.yahoo.com/article.html?aid=2006102507

  3. scully says:

    My bank uses something similar. When I created my account I selected an image that would be displayed above my password login. I was able to also add a “description” of my choice. In order to phish, the bad guys would have to know which of the many photos I chose, and also be able to spoof my description. I could have chosen a picture of an ice cream truck, but my description, being my choosing, could be something like “there’s no man on the moon.” Works pretty well, me thinks.

Leave a Reply