[LINK] Study: surfers ignore common security cues on banking sites

Kim Holburn kim.holburn at gmail.com
Tue Feb 6 20:55:25 AEDT 2007 

http://arstechnica.com/news.ars/post/20070205-8771.html
>  Study: surfers ignore common security cues on banking sites
>
> 2/5/2007 2:22:37 PM, by Eric Bangeman
>
> Password protection has its limitations, especially when it comes  
> to things like online banking. That's why millions of phishing  
> attempts are made every day—it's relatively easy to craft realistic- 
> looking web pages that convince users to divulge passwords and  
> other personal details. Financial institutions are well aware of  
> this and as a result, have come up with additional authentication  
> measures for their customers. A new study conducted by researchers  
> from MIT and Harvard casts doubts on the efficacy of such measures.
>
> Researchers studied a system used by a handful of financial  
> institutions where customers select an image that will always be  
> displayed when they log into their account. The site authentication  
> images are a cue for bank customers that the page they are viewing  
> is in fact legitimate.
>
> Last fall, the researchers took 67 study participants and watched  
> them go through typical online banking activities. The researchers  
> had removed the site authentication images to see how many of the  
> participants would log in anyway. The results were disturbing. Of  
> the 60 participants who made it through the study (the other seven  
> failed to follow instructions or didn't have their actions fully  
> captured by researchers), only two of them found something fishy  
> with the image-less login pages and refused to log in. The other 58  
> signed on with little or no trepidation.
>
> Even more troubling is that 20 of the participants were given  
> additional instructions "to behave securely." Despite the warnings,  
> lack of site authentication images, and even the researchers'  
> introducing some blatant spelling errors, the participants  
> willingly logged in and attempted to go about their online banking  
> business. "We were surprised to find that participants assigned to  
> the security primed group behaved less securely than those in the  
> role playing group, who had no security-priming," noted the study's  
> authors.
>
> The study's conclusions should give added hope to phishers around  
> the world: users typically don't play close attention to security  
> indicators. All participants entered their passwords even when the  
> HTTPS indicators were removed indicating that the site they were  
> accessing was not secure. Site authentication images were of little  
> help either, as removing the image and replacing it with a "this  
> site is being upgraded" message failed to deter the vast majority  
> of subjects.
>
> .......


--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list