[Cryptography] PRISM-Proofing and PRISM-Hardening

Bill Frantz frantz at pwpconsult.com
Mon Sep 30 18:45:28 EDT 2013

Rich - Thanks for chasing this study down. There is a lot of 
food for thought for all of us in it.

On 9/30/13 at 11:29 AM, rsalz at akamai.com (Salz, Rich) wrote:

>Bill said he wanted a piece of paper that could help verify his 
>bank's certificate.  I claimed he's in the extreme minority who 
>would do that and he asked for proof.
>I can only, vaguely, recall that one of the East Coast big 
>banks (or perhaps the only one that is left) at one point had a 
>third-party cert for their online banking and that it 
>"encouraged" phishing of their customers.  See also http://en.wikipedia.org/wiki/Phishing#cite_note-87

Found at: <http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss>

To quote from the above:

     The idea is that if customers do not see their [preselected]
     image, they could be at a fraudulent Web site, dummied up to
     look like their bank’s, and should not enter their passwords.

     The Harvard and M.I.T. researchers tested that hypothesis. In
     October, they brought 67 Bank of America customers in the
     Boston area into a controlled environment and asked them to
     conduct routine online banking activities, like looking up
     account balances. But the researchers had secretly withdrawn
     the images.

     Of 60 participants who got that far into the study and whose
     results could be verified, 58 entered passwords anyway. Only
     two chose not to log on, citing security concerns.

This approach requires the customer to verify the image every 
log on. Conning them by replacing the image with, "Site 
undergoing maintenance"[1] is fairly easy. With my approach, I 
would authenticate the bank's key once, when I establish an 
account or sign up for online banking. My software would check 
that authentication every time I log on after that. (If the bank 
decides to change it's key every year, I might need a new piece 
of paper every year -- which might get old after a few years.)

>and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which 
>say simple things like "show the right image" don't work.

Found at: <http://web.archive.org/web/20080406062154/http://people.seas.harvard.edu/~rachna/papers/emperor-security-indicators-bank-sitekey-phishing-study.pdf>

I believe this study is the one referred to in the NYT article 
above. This study started with 67 people, the same number 
mentioned above and the authors are also affiliated with Harvard 
and MIT. The steps they took to ethically use real accounts are 
worth reading.

The last test involved presenting a IE warning page, "There is a 
problem with this website's security certificate. The result was:

     Of the 60 participants whose responses to prior tasks had
     been verified, we were able to corroborate 57 participants’
     responses to the warning page. Despite the overtness of the
     warning page and its strong wording, 30 of 57 participants
     (53%) entered their passwords. 27 participants (47%) did
     not login.

Leaving me to say you shouldn't give the user an option to 
ignore security. I don't think I get a choice if an Apple or 
Microsoft software update fails signature verification.

Their conclusions:

     Users will enter their passwords even when HTTPS
     indicators are absent.

     Users will enter their passwords even if their site-
     authentication images are absent.

     Site-authentication images may cause users to disre-
     gard other important security indicators.

The last conclusion is interesting for evaluating other studies. 
They divided their subjects into three groups. Two used dummy 
accounts and one used their own accounts.

     Role playing has a significant negative effect on the
     security vigilance of study participants. Participants who
     played roles disregarded more attack clues before withholding
     their passwords than participants whose own passwords were at

Cheers - Bill

[1] The text used in the second reference's study is very enticing:

     SAI Maintanance [sic] Notice:
     [bank name] is currently upgrading our award
     winning SAI feature. Please contact customer
     service if your SAI does not reappear within the
     next 24 hours.

Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 
Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, 
CA 95032

More information about the cryptography mailing list