Eye tracking and fMRI confirm that we don't even perceive security warnings before clicking past them

Originally published at: https://boingboing.net/2018/06/15/attentional-tragic-commons.html

1 Like

Surprise factor: Zero

There’s a very good reason I do things like:

“To delete this job enter the name of the job”.

In the three years that confirmation has been in use the only oops involved someone intending to delete a secondary job and actually deleting the primary instead.


I usually can’t see them from my eyes rolling up to the inside of my head.

1 Like

Sounds very like concealing an agreement to sell your organs within a 15 page long EULA in 4 point type.

1 Like

The big minus with the ‘polymorphic warning’ approach is that it habituates people to a second class of warning-related security risks.

There’s an entire genre of social engineering that involves impersonating warning or errors in order to convince the user to run the virus you claim they already have. Popular because it works and because no good drive-by exploits or privilege escalation tricks are needed(they do sometimes use annoying browser bodging to try to make it harder to just close that tab; but that’s a lower bar).

These attempts(like most attempts at cross-platform UI development) generally look slightly alien compared to platform native messages. Often good enough to fool the inexperienced; but typically off in at least subtle ways, often substantial ones. If your system is, deliberately, making error messages that look weird enough to get you to stop and think it becomes much less obvious whether a warning is dodgy looking because it’s faked up in browser and is missing some information only available to your platform’s widget set or whether it looks dodgy because it’s supposed to.


The historic precedent for this kind of failure goes back to, “put an X where your name goes, we will have some literate guy fill in the information later”.

Face it, this society has always been a little iffy on notions of informed consent…


This topic was automatically closed after 5 days. New replies are no longer allowed.