[Cryptography] PRISM-Proofing and PRISM-Hardening
Bill Frantz
frantz at pwpconsult.com
Mon Sep 30 18:45:28 EDT 2013
Rich - Thanks for chasing this study down. There is a lot of
food for thought for all of us in it.
On 9/30/13 at 11:29 AM, rsalz at akamai.com (Salz, Rich) wrote:
>Bill said he wanted a piece of paper that could help verify his
>bank's certificate. I claimed he's in the extreme minority who
>would do that and he asked for proof.
>
>I can only, vaguely, recall that one of the East Coast big
>banks (or perhaps the only one that is left) at one point had a
>third-party cert for their online banking and that it
>"encouraged" phishing of their customers. See also http://en.wikipedia.org/wiki/Phishing#cite_note-87
Found at: <http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss>
To quote from the above:
The idea is that if customers do not see their [preselected]
image, they could be at a fraudulent Web site, dummied up to
look like their bank’s, and should not enter their passwords.
The Harvard and M.I.T. researchers tested that hypothesis. In
October, they brought 67 Bank of America customers in the
Boston area into a controlled environment and asked them to
conduct routine online banking activities, like looking up
account balances. But the researchers had secretly withdrawn
the images.
Of 60 participants who got that far into the study and whose
results could be verified, 58 entered passwords anyway. Only
two chose not to log on, citing security concerns.
This approach requires the customer to verify the image every
log on. Conning them by replacing the image with, "Site
undergoing maintenance"[1] is fairly easy. With my approach, I
would authenticate the bank's key once, when I establish an
account or sign up for online banking. My software would check
that authentication every time I log on after that. (If the bank
decides to change it's key every year, I might need a new piece
of paper every year -- which might get old after a few years.)
>and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which
>say simple things like "show the right image" don't work.
Found at: <http://web.archive.org/web/20080406062154/http://people.seas.harvard.edu/~rachna/papers/emperor-security-indicators-bank-sitekey-phishing-study.pdf>
I believe this study is the one referred to in the NYT article
above. This study started with 67 people, the same number
mentioned above and the authors are also affiliated with Harvard
and MIT. The steps they took to ethically use real accounts are
worth reading.
The last test involved presenting a IE warning page, "There is a
problem with this website's security certificate. The result was:
Of the 60 participants whose responses to prior tasks had
been verified, we were able to corroborate 57 participants’
responses to the warning page. Despite the overtness of the
warning page and its strong wording, 30 of 57 participants
(53%) entered their passwords. 27 participants (47%) did
not login.
Leaving me to say you shouldn't give the user an option to
ignore security. I don't think I get a choice if an Apple or
Microsoft software update fails signature verification.
Their conclusions:
Users will enter their passwords even when HTTPS
indicators are absent.
Users will enter their passwords even if their site-
authentication images are absent.
Site-authentication images may cause users to disre-
gard other important security indicators.
The last conclusion is interesting for evaluating other studies.
They divided their subjects into three groups. Two used dummy
accounts and one used their own accounts.
Role playing has a significant negative effect on the
security vigilance of study participants. Participants who
played roles disregarded more attack clues before withholding
their passwords than participants whose own passwords were at
risk.
Cheers - Bill
[1] The text used in the second reference's study is very enticing:
SAI Maintanance [sic] Notice:
[bank name] is currently upgrading our award
winning SAI feature. Please contact customer
service if your SAI does not reappear within the
next 24 hours.
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos,
CA 95032
More information about the cryptography
mailing list