I am a bit confused about the attempt of the credit report companies to “protect the link” to the new site where one can get free credit reports (see the bottom of this article). I understand the problem of phishing and I agree that this site will be a very tempting target for phishing. The “solution” the people at annualcreditreport.com came up with is that links to their site won’t work unless the link is either on the FTC web site or one of the three credit report companies. For example, try clicking here and it should give you an error. This is presumably done by checking the “Referer” HTTP header. Yes, it’s “referer”, not “referrer”, an example of how authors of Web browsers are normatively required to make spelling mistakes, this should keep all of us spec editors on our toes (which, as a side note, happens to be literally the case for me this week because I slammed my heel on the edge of the swimming pool by doing an aggressive flip turn a bit too close to the wall during a Master’s swimming training session).
Anyway, back to the “protect the link” story. Let’s see how this would work. I have in front of me a hypertext link to their site. If I know that the site has this “protection” then why would I click on it? If it works then it’s a fake and I don’t want to use it and if it’s not a fake then it won’t work. In any case I know I’ll have to enter the URL by hand so I’ll do it right away. And if I am not aware of this behavior then I will click on the link. If it works (because the link is a fake), then I have no reason to suspect anything fishy and I’m in trouble. If it doesn’t work (because the link is real) then I’ll see that I have to enter the URL by hand and I will be out of trouble but I wasn’t in trouble to start with since the link was correct. In either of these four permutations this system doesn’t do any good.
The scary thing is that when people learn about this system, they might actually be more trustful with sites that implement something like this. But what stops a phishing site from doing the exact same thing, giving people an error message unless they type the URL by hand? Nothing. This reminds me of an email I once got from my bank to “educate” me about phishing. With “helpful” advice such as “we will never request personal information from you until after you are logged into our site using your username and password”. Hello? I give them my credentials and this supposedly authenticates them to me?