Study: surfers ignore common security cues on banking sites

Study: surfers ignore = common security cues on banking sites

By Eric Bangeman | Published: February 05, 2007 - 02:22PM CT

Password protection has its limitations, especially when it comes to things like online banking. That= 's why millions of phishing attempts are made every day—it's relatively easy to craft realist= ic-lookin= g web pages that convince users to divulge passwords and other personal details. Financial institutions = are well aware of this and as a resu= lt, have come up with additional authentication measures for their customers. A new study co<= /st1:PersonName>nducted by researchers from MIT and Harv= ard casts doubts on the efficacy of such measures.

Researchers studied a system used by a handful of financial institutions where cus= tomers select = an image that will always be displayed when they log int= o their account. The site authentication images are= a cue for bank customers that th= e page they are viewing is in fact legitimate.

Last fall, the researchers took 67 study participants and watched them go thr<= st1:PersonName st=3D"on">ough typical = online banking activities. The researchers had removed the site authentication images to see how many of the partic= ipants would log in anyway.= The results were disturbing. Of the 60 participants who made it thr= ough the stud= y (the other seven failed to follow instructi<= /span>ons or didn't have their actions fully cap= tured by researchers), only two of them found s= omething fish= y with the image-less login pages and refused to log in. The other 58 sign= ed on with littl= e or no trepidation.

Even more tr= oubling is th= at 20 of the partic= ipants were given additional instruct= ions "to behave securely." Despite the warnings, lack of site authentication images, an= d even the researchers' introducing some blatant spelling errors, the participants willingly logged in and attempted to go about their online banking business. "We were surprised to find that p= articipants assigned to the security primed group behaved l= ess securely than those in the r<= /span>ole playing g= roup, who had no security-priming," noted the stud= y's authors.

The study's conclusions sh= ould give add= ed hope t<= st1:PersonName st=3D"on">o phishers around the world: users typically don't play cl<= /span>ose attention to security in= dicators. All participants entered their passwords even whe= n the HTTPS indicators were rem<= /span>oved indicati= ng that the site they were accessing was not secure. Si= te authentication images wer= e of little help either, as removing the ima= ge and replacing it with a "this site is being upgraded" message failed = to deter the v= ast majority of subjects.<= o:p>

It's a disturbing bit of news for banks that= have struggled with the question of how to tighten up = their own security measures. Some instituti= ons have gone t<= st1:PersonName st=3D"on">o a two-factor authentication system consisting of a password and a USB= key that flashes a code that changes every minute. Customers are req= uired to enter their password and the c= ode fr= om the key, b= ut even th= at's not phisher-proof: using a man-in-the-middle attack, Russian phishers attempted to extract the= passwords and codes from unwary Cit= ibank customers and then authenticate to Citibank wi= thin the 60-second time fram= e allowed by the c= ode.

Many banks see authentication systems th= at require an extra piece of hardware a= s not worth their ti= me because they believe customers won't want to use them, s= o they have enthusiastically embraced soluti<= st1:PersonName st=3D"on">ons like site authentication images to the point where th= ey assure customers that if= they see the image, they're at the right web site. "When you see your image, y<= /span>ou can be confident that= you're = on Vanguard.c= om and not an imposter site an= d can safely enter your password," sa= ys Vanguard's enhanced logon FAQ page, despite the fact that site authenticati= on image sign= -o= ns are vulner= able to attacks (PDF) similar to the = one described= above.

Some analysts suggest that banks are more c<= st1:PersonName st=3D"on">oncerned with= the image of security rather than being secure. That's an oversimplific= ation. As the st= udy suggests, the problem is much= more c<= st1:PersonName st=3D"on">omplex than settling on the proper authenti= cation scheme. Un= til surfers learn to rec<= st1:PersonName st=3D"on">ognize and obey cues tha= t tell them whether it's safe to be divulgin= g personal informati= on, n<= st1:PersonName st=3D"on">o system is g= oing t= o be f= oolproof.