Decades after selling Americans on the idea of jumping through transactions with online strangers, Craig Newmark is trying to get them to hold off on clicking through.
Last September, the Craiglist founder-turned-philanthropist and tech-policy activist launched Take9, a program pushing a nontechnical response to the complex problems of online scams and frauds.
Traditionally, security advice has focused on tools: Install security updates promptly, use a password manager, enable multifactor authentication, and upgrade to passkey logins if you can.
But phishing scams, misinformation campaigns, and other digital attempts to part people from their money, or their account credentials, evolve constantly. They usually retain one common element, though: They aim to provoke a response rooted in fear or anger, not thought.
In fewer words, they’re targeting your lizard brain.
Take9’s advice doesn’t involve any software or settings: Simply take a nine-second pause and think before you click, download, or share. Newmark has been working on the problems of digital security for a long time. But his previous efforts were aimed more at professionals. Take9 is aimed at individuals with fingers poised over a touchscreen, a mouse, or a keyboard, uncertain of what to do next.
“No one is looking out for regular people—and that’s how I identify, if nothing else because I’ve been a customer-service rep for the great majority of my work life,” Newmark says on a video call. “We all need a hand in terms of protecting ourselves, our families, our homes.”
The federal government seems less likely to lend that hand after the Trump administration’s deep cutbacks of federal cybersecurity staffing and programs. With Take9, Newmark is trying to help people help themselves in a low-tech way.
Please hold up
Waiting can give your noggin a chance to downshift. That’s the core advice of Take9.
“There’s some behavioral research which suggests you wait a little while, and they typically cite 9 or 10 seconds before you actually go in and click things,” Newmark says. He cites his own past misadventure rushing to buy some knockoff Ray-Ban sunglasses: “I only realized after that I gave bad people my credit card number.”
Compromised credit cards are relatively easy to fix. A hacked email account or social media presence can, by contrast, leave a much wider blast radius.
And the messages trying to spoof or scare us into giving up critical credentials keep coming, because the attackers know that few of us can resist the urge to click.
“It’s an ongoing problem with certain members of the family, but I will not disclose specifics, because Mrs. Newmark would yell at me,” Newmark says.
As secondary steps to learning to take a beat before a click, the Take9 site offers pointers on the usual technological countermeasures, such as using a password manager and upgrading to passkey logins. (We would take exception with the site’s recommendation to avoid public Wi-Fi; the advent of nearly universal encryption between sites and browsers should relegate that outdated advice to tech-myth status.)
It also invites visitors to sign up for a mailing list for updates on its campaign, partners, and “useful resources.”
Incremental improvements
Newmark isn’t counting only on more self-aware behavior to slow the flood of attacks.
“I think progress is being made,” he says, pointing first to the rise of more secure domain-name-service systems that encrypt lookups of site names to prevent an attacker from shunting a visitor to a hostile look-alike.
He’s also optimistic about threat-sharing partnerships such as Global Signal Exchange, launched in October by Google and the industry groups DNS Research Federation and Global Anti-Scam Alliance.
GSE, which Newmark supported with a $1 million contribution in December, lets member firms share data about attackers and attacks confidentially to coordinate responses and research into future threats.
Newmark says he’s already benefited from Google’s addition of on-device AI to screen calls and messages from noncontacts for likely scam patterns, demoed at Google I/O two years ago and initially shipped in March.
Of course, AI is a weapon that can point either way: AI-generated people can now convincingly imitate real ones. And this attack isn’t just a problem for IT hiring. Businesses have been scammed out of millions of dollars by AI deepfakes.
Newmark suggests that families agree on “a code word that only they would know” but allows that “there might be something better.”
Many security experts think there is. They recommend that if you’re in doubt about a call from somebody who sounds like a friend or family member, hang up and call them back directly. Or ask the caller about something that only the real person would be in a position to know.
What does success look like?
Can a project with a goal as subjective as making people a little more street-smart online have a definable finish line?
Real success would look like ransomware scammers simply giving up “because protections were that good,” Newmark says. “Scammers would find other crime to exploit.”
But he also allows that those are impossible metrics. “Those are examples of the perfect, and we’re not going to get there,” he says, noting that he’s in it for the long haul.
Newmark says he still gets angry about the idea of somebody trying to rip off his customers. “I take it personally, and I think everyone involved in any kind of platform should feel the same way,” he says. “It should piss them off.”
source https://www.fastcompany.com/91467939/craigslist-founder-craig-newmark-security-password-manager
Discover more from The Veteran-Owned Business Blog
Subscribe to get the latest posts sent to your email.
You must be logged in to post a comment.