Invalid banking cert spooks only one user in 300

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed May 18 06:24:18 EDT 2005 

  Invalid banking cert spooks only one user in 300
  Stephen Bell, Computerworld
  16/05/2005 09:19:10

  Up to 300 New Zealand BankDirect customers were presented with a security
  alert when they visited the bank's website earlier this month - and all but
  one dismissed the warning and carried on with their banking.

The rest of the story is at
http://www.pcworld.idg.com.au/index.php/id;1998944536;fp;2;fpid;1 or
http://www.computerworld.co.nz/news.nsf/0/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld
(PC World Australia or ComputerWorld NZ).  To provide a little more background
information, BankDirect is an online-only offshoot of another bank (ASB)
that's targeted at computer-savvy users who don't need (or want) the expense
of a standard bricks-and-mortar account.  There are no branches, and payment
is done electronically at the point of sale (EFTPOS) and managed via the
Internet or a cellphone, thus the (apparently) low number of accesses - you'd
generally rarely need to access it over the net.

So in other words the number of computer-savvy users who were stopped by an
invalid server cert at a banking site was essentially zero.  To quote the
article again:

  Peter Benson, chief executive of Auckland-based Security-Assessment.com,
  says he is "not at all surprised" at the statistics. "In my experience, the
  single weakest point in the chain of [computer] security is the space
  between the keyboard and the floor."

  A lot more education of users in responding appropriately to security alerts
  is needed, he says.

Looks like we have a long way to go in making effective security usable.  Note
that if the same site had used TLS-PSK
(http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-08.txt) instead of
straight passwords over TLS, and had this been malicious spoofing instead of
just an accident, none of this would have been possible (TLS-PSK provides
mutual authentication of both parties before any sensitive information is
exchanged, so even if the user ignores the warning, they won't be able to
communicate with a spoofed site).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list