For example, back in the good old days we learned put our email address on the website so people could contact us easily. Years later (our mailboxes flooded with viagra spam because our email addresses got scraped by some harvesting bot), we changed the design pattern to something like sales AT example DOT com. My guess is that we probably needs to change that as the harvesting bots can easily scrape and harvest those addresses.
Over the last few years, in fraud protection we've learned a plethora of fraudulent methods and what website practices and design patterns actually attracts or invites fraud.
What I mean by "invites" is that a website with low fraud detection skills or poor practices suffers fraud first before their competitors - its a low hanging fruit thing.....fraudsters will make money where its easier, when you skill up, they move on to the next easy target.
But fraud protection has typically been the concern for eCommerce sites. The worst that individuals have had to tolerate is spam/malware in their email box and spam in their blog posts.
Spam in blog posts grew to such a degree that solutions: CAPTCHA, Akismet, Mollom or Defensio have emerged - because bloggers are early adopters and motivated to keep their comment feed clean.
However, as social media crosses the chasm to everyone owning a conversation - what competence will they have to spot a fraud or an attack?
Here is an example from this weekend's Twitter spam:
Now...this fine young lass doesn't seem to have any clothes or friends (Followers:0, Following:0) but she loves to send the same link to lots of folks (or maybe blokes). Blasted out 254 tweets.
The tweeted IDENTICAL link was probably spam but could easily be malware/worm. (There is several precedents and twitter account phishing attacks). But when this stuff appears in your reply stream, its pretty easy to reflex click-thru to the "attack site".
The Twitter account is still live several days later.
So - nothing new about this - but its an anti-pattern that we accept:
- the users have no warning
- there is no reputation in the reply stream about the sender
- the account isn't killed (it may have been disabled invisibly, but surely twitter users should know when an account is blocked by others).
Some examples or other anti-patterns in authentication are:
- Username/Password (no 2-factor)
- Allowing simple passwords
- Making passwords so difficult that the user has to write them on a post-it note
- Storing your Username/Password in a 3rd party (yes you Twitter API applications!)
- Positioning single signon (SSO) as being safer
- Auto follow
- Really confusing privacy policies and obscured privacy settings (watch Paul Fenwick's presentation on Facebook privacy - some of you may be surprised)
- Changing your Terms and Conditions on privacy (beacon)
- 140 characters. Not enough to give the recipient context for the target
- URL shorteners like tr.im, bit.ly - again, these separate recipient from context of destination without any reputation on the link.
- Not allowing users to partition their personal and public life.
- Not educating users (like children) the ramifications of public social media behavior. It should be mandatory at primary school to learn how:
- difficult it is to get something deleted from google cache is - especially if its not your site: http://lifehacker.com/166500/deleting-things-from-googles-cache
- impossible it is to delete all known copies of an embarassing photo, vid or chat thread
I think I will expand on social media anti-patterns in the future, if the next generation will learn the traps too late, we will have more sites promulgating an unacceptable set of "norms".
Is there an existing repository of such?