“Study Finds Security Flaws on Web Sites of Major Banks” or “Common Knowledge: Users Regularly Click-Thru”
The New York Times Computer Security blog has an article entitled "Study Finds Security Flaws on Websites of Major Banks"... They couldn't have picked a more misleading title.. The original study, entitled "The Emperor's New Security Indicators", was a study to see how many users monitor things such as the disappearance of SSL (HTTPS) and changes to their "site authentication images"...
For those of you that are unaware, or haven't seen "site authentication images" the concept is that a user selects an image from a Library of thousands, along with a phrase... and they are displayed that image and phrase every time they visit the web page... The idea being that they would not see the image/phrase on a phishing site and would not login... The technology was originally rolled out by a company called PassMark who was acquired by RSA... they market the technology as RSA Adaptive Authentication for Web.
The study found that 100% of users still entered their username and password when SSL was removed from the equation (Although I'd love to see them try again with IE7 and High Assurance Certificates ( IE 7 Blog | SpywareSucks Blog Overview | Verisign Information ) to see if the green address bar makes a difference). They also found that 92% of users still entered their usernames and passwords when the "site authentication images" were removed. The study calls this method of protection ineffective... I'd argue that ~10% success is better than not trying... perhaps user education isn't up to par... but if you stop 1 in 10 phishing attempts with technology A and 1 in 10 with technology B you may eventually protecting 10 out of 10 users... After all isn't layered security a common concept?
The study however isn't my concern... my concern is with the NYT article... It's misleading to readers... There's no flaw in the websites of major banks... and if I were these banks I'd be rather upset at the NYT for the equivalent of slander right now... As I said in the title this article could have been called "Common Knowledge: Users Regularly Click-Thru"... This is where the problem lies. Users will common click next.. Call Tech support, what do they say, "Click next until you're done" (This is negligence on the tech support companies part)... Instructions on websites will commonly say, click next until you're done... Users have come to accept, "Click next until you're done" as the standard... in an effort to make computers easier for the average user... we've made them more vulnerable... we've been complacent in our duties to keep the end user informed.... to pass along knowledge... Basically, we've failed them.
The problem now is how do we re-educate them... The NYT should be addressing and answering that question... addressing the issue of users that "Click-Thru"... This study is alarming but not for the reasons that the NYT addresses... it's alarming because so few users know how to act and respond... They want the ease of use...
While it removes the simplicity of daily banking... I would propose this solution. The technology should randomly display an incorrect picture... Should the user click through without confirming is indeed incorrect the account would be locked until the user called the bank and had the lock removed... To ensure that phishing sites don't duplicate this... the second picture shown would then be the users correct picture so they would know they can proceed safely... After a user locks their account out once or twice, they'll learn to start looking at the image. To ensure they don't always indicate that the initial image is incorrect, they should also have their account locked if they say "Not my image" to their image...
Re-education isn't always an easy task... and the end-user is going to have to learn that to safely use a computer in 2007 they're going to have to give up a little bit of the convenience... Just as Vista is introducing UAC, which adds a few clicks.... banks should modify their systems to properly notify users and ensure that we desensitize them to the "Click-Thru method"...
Donna's Security Flash has also mentioned this briefly.
[Update] It appears as though the NYT has changed the article of the column to "Study Finds Web Antifraud Measure Ineffective"... I emailed the author (Brad Stone) and pointed him towards my blog post... I am however, disappointed that he didn't credit me for the name change, or at least say why he did it.