field study of online bank authentication security, and Site Authentication Images

Jun 19, 2007

Someone pointed me to this interesting study done about online bank authentication and how people react to security measures being removed. (Quick summary: they don't.) It's another example of the emerging HCISEC field that examines crossover between HCI and security that I'm interested in. So I read it. (Also covered in NY Times.)

The researches collected a number of people at Harvard campus, most of them students, and told them all individually to go through a number of online banking tasks. Some were using their own personal account info and some were using "role-playing" info for fictional users. They were told to log in to an e-bank (I understand the whole thing was US-based so it was an US e-bank) and do some tasks. What exactly doesn't matter, because the researchers were only interested in the act of logging in, and disregarded what happened later.

They found that people mostly disregard all sorts of warning pages and indicators and don't really pay attention to details like HTTPS protocol or security indicators. This again underlines that many of the current user-facing Internet security features have been designed by geeks, for geeks, as patchwork to original Internet design that didn't have any of it in the first place. The features are good technology but difficult to understand and use for the user, and people tend to disregard things that don't directly affect their ability to conduct the given "core task". Whether or not the site has HTTPS indicator doesn't seemingly affect my ability to check my balance. It may make me less secure in the long run, but since it's only a risk that's never 100% materialized (not all computers have malware on them, and not all credentials collected by phishing are used), it's more cost-effective to me as a person to simply shun this off as "yet another silly error that this computer is showing me but that I can get past with clicking OK", and get my actual core task done.

It also had interesting lessons for security researchers, noting that there was a notable difference between people who were roleplaying vs people using their own credentials. If you are working with your own personal assets, you obviously think a bit more about what you're doing and the possible risks.

Site Authentication Images

One new security feature of many sites that I learned about in this study was "Site Authentication Images". It seems to have many different names, like "SiteKeys", or more scientifically "augmenting password logins". The idea is simply that you specify an image or passphrase that the site "remembers" (on a cookie in your computer), and you should only log in if you see this same image the next time. Even people like Yahoo! now seem to be using this.


I'm having mixed feelings about this feature.

On the down side, it seems to be security theater. It's not really contributing to the actual authentication process, only the user's decision of whether to move forward with it, possibly overshadowing other and more critical factors like HTTPS. And since it's relying on local storage, it also sounds like something that any sort of malware could extract out of your computer fairly easily, passing it on to a phishing site and thus rendering it useless (a phishing site could then display the same thing to you).

One the other hand, phishing is these days a major threat to personal data integrity, and maybe this makes things indeed more secure for some people and sites. And I'm a big believer in visualization and personalization and I've often went around and said "this or that feature must have images, not just text". So this feature might help users to develop a closer relation with the site that they're using and actually start paying more attention to the forms, so that if their image is indeed missing one day, they'll notice it (although the study quoted above has shown empirically otherwise). And comparing to implementing proper secure multi-factor authentication, this image thing is cheap and quick to implement. Proper security is hard and takes time and money.