When it is better not to read the instruction

Holes in information security are different. There are holes in the software, there are in the gland, there are in the heads of people. And there are documentation. Here, for example, right now on the site of a very well-known bank in Ukraine there is an instruction urging corporate Internet banking users to trust any phishing sites that impersonate the bank, while scoring all browser warnings about invalid certificates. But they wanted, probably, to make people a useful dock. But it turned out as always.

What are we talking about?

Go here and download the dock Preparatory work . You can not read everything (there are many) - I will quote the key part of the document:

“The key generation program is located on the bank’s website in order to download it to the user's computer:
Connect with your internet provider, activate your Internet browser, enter the address in the IE address bar: - client-bank.privatbank.ua/p24/c2b_install and press "Enter". The page will open:

This message states that the downloadable software belongs to PrivatBank, its authenticity is confirmed by a Tawte Premium Server CA certificate and the bank confirms the security of this application. „

Where is the dog buried?

So, attention - in the screenshot we clearly see the message of the browser that the certificate was issued to the devils and who can’t trust this site. In the message under the screenshot, this message is explained as “everything is OK, so it should be, this is a private bank website and its software”. And we remember that not all speak English at the proper level and, accordingly, believe this explanation. Everything, come, dry the oars - if the user, having read this instruction, sees a browser warning about the phishing site, he will ignore it. And lose money.
')

How did such a garbage turn out?

Of course, I do not know for sure, but it seems to me that everything was so. 2 people worked on the document. One (let's call him a Programmer) was smart and really understood what was there and how. The second one (let's call her Secretary) was stupid and did not understand anything, only Vord knew how to use and copy-paste yet. The programmer, understanding that there is no need to wait for miracles from the Secretary, made screenshots of the software installation process, carefully putting a tick on each screenshot explaining what to click. Being completely sure that this would be enough and here we must really try to screw up something, he gave these screenshots to the Registrar with the words “on, sign between the pictures there with words like what and where to press - I checked there”. But the secretary was still able to screw it up! Her logic, I think, was this:
"So, here the person should click" Start connection procedure ". But after all on the screen such terrible window with a vorningom! What to do? We must somehow explain to the user why everything is ok. And before that, it would be good to understand myself ... Well, it seems to be written here about the Privatbank website ... And here’s something else about the Tawte Premium Server certificate ... Well, I'll write that that's why everything is good. ” And wrote. But in reality, what the Secretary was looking at was not at all the browser error message of the certificate. Rather, it was just that, but it was just that it was shown not by the Firefox on the screen, but by another browser, and this Firefox only showed a page with a screenshot of this message. And showed it just to warn the user about the danger. Here it is, this page in its current form. Those. it turned out that the Secretary, frightened by the screenshot in the screenshot (wow, recursion) tried to somehow explain it to herself and the user. As a result, we are urged to believe phishing sites. Cool, right?

This is all, of course, only my version of what is happening, but it seems to me that it was somewhere. Because the second option is deliberate sabotage. And as Hanlon Razor says: “Never attribute to malicious intent something that can be completely explained by stupidity.”

Total

Fix bugs need everywhere, and in the documentation, too. A letter has been sent to Privatbank with reference to this article. I do not consider it necessary to notify them secretly, since there is no direct threat to the bank, simply nonsense is written in the docks.