just one more geek in a sea of austin techies

January 26, 2012

Did Symantec really just send me that?!? #SecurityGeek

Yesterday the usual unwelcome snail-mail spam included an envelope with a letter and ad slick from Symantec.  I barely even glanced at the slick but was immediately struck by the opening of the letter.  Its contents triggered three "red flags" in my mind even before the start of the first sentence.  Did Symantec, a leading security company, really just lead its marketing pitch with warning signs I often coach users to steer clear of?...

I admit it:
 As I scanned Symantec's opening letter I laughed out loud...and so did the next two guys I showed it to.  The upper-right corner included an attention-getting graphic and come-on for a free report and a free USB flash drive. In a mere 3"x3" space a leading security company promoted their mobile app security product by prompting me to indulge in a well-recognized mobile security risk.

A brief review of Symantec's "mobile threat" marketing faux pas:

  1. Scan this QR code!  (you can trust me) 
    The (sometimes) convenience of a QR code is appreciated but in general QR codes are even less trustworthy than addresses.  Who knows where you'll end up or what web browser exploits will be waiting there?  Thanks but no thanks.
  2. Do it now. NOW! (create a sense of urgency) 
    If the end user has enough time to think about it the user may figure out that the action asked for may not be worth the risk.
  3. Something for nothing.  (you're a winner!)
    I can buy a 4GB USB drive for $5 any day of the week.  If I fall for a scam and click a link to a nefarious site, how much will a successful zero-day exploit cost me?  What might I be setting myself up for when I give out my name and home (shipping) address?  (hint: any trouble at all will cost a lot more than $5 of my time)

Even the reward is risky

Interestingly, Symantec couldn't win even by sending me a USB drive and saying "please tell us 'thanks' by checking out our link" -- who would trust a free, unexpected USB drive enough to plug it into their system?  I think the only trustworthy method would be to send a coupon I could redeem at a local store (if you're reading, Symantec, make the coupon good for a 32GB or larger drive and I'll accidentally delete this post!)

You may argue that, since the letter is from Symantec, I can trust the content.  I'll point out that there is no reasonable way to verify that this specific mailing actually is from Symantec.  Emails are faked - why not snail mail?  While I absolutely believe that the letter is legitimate, I can't help but wonder how a company pushing the merits of its mobile authentication system would lead off their contact letter by encouraging customers to overlook a known mobile security pitfall.

    No comments:

    Post a Comment