Users ignore online security warnings – study
Little padlocks, https, phishing filters … all the little things implemented in browsers to warn users of the authenticity of the website they are using aren’t worth the time spent developing them.
A new research paper details the behaviour of different groups of people, tasked with making an online banking transaction, and found a woeful lack of attention to even the elements that many in the industry would look to first for assurance.
The research divided people into three groups: one ‘role-playing’ group was given no guidance, another ‘role-playing’ group had previously been told that they should be monitoring security during the test, and a third group was told to actually make the transaction through their own bank accounts.
Incredibly, all the participants of all the groups entered their passwords even when the https signifier was removed. When site-authentication images were removed and the site notified the user that they shouldn’t log in if that image was not present, only two participants using their own accounts withheld their credentials. All of the other participants in all of the groups continued regardless.
The paper noted that even if such an image is present, it should not be seen as a green light to continue if other security indicators are not present. ‘It is also important to note that the presence of a site-authentication image does not guarantee that a connection is secure or that it is safe to enter a password: site-authentication images have been shown to be vulnerable to man-in-the-middle attacks that capture and display the user’s site-authentication image,’ it reads.
In fact one participant admitted that the presence of the authentication image had been the reason they had continued with the transaction, despite warnings to the contrary. ‘Eventually, I ignored the IE warning and, on seeing the proper [site-authentication image], entered the … password.’
Even more concerning is that eight of the 22 participants using their own accounts continued with the transaction, despite being warned that it was unsafe to do so.
The upside of the study was that participants using their own accounts did at least behave more securely than the role-playing groups. But the security-primed role-players behaved in a less secure fashion, giving away more passwords, than those who weren’t told of the security context of the task.
This has particular relevance for developers testing out security features, and calls into question how relevant role-playing is for these purposes.
‘Telling people in a study that you’re actually evaluating security features doesn’t seem to make them act in any more safe a fashion!’ said Symantec’s Zulfikar Ramzan.
The paper was written by Stuart Schechter (MIT Lincoln Laboratory), Rachna Dhamija (Harvard University & CommerceNet), Andy Ozment (MIT Lincoln Laboratory & University of Cambridge) and Ian Fischer (Harvard University).
It is available as a PDF here.