Experiments support for user-customized indicators such as Yahoo'snew tool from Amir Herzberg on 2006-09-13 (public-usable-authentication@w3.org from September 2006)

From: Amir Herzberg <herzbea@macs.biu.ac.il>
Date: Wed, 13 Sep 2006 09:19:02 +0300
To: Naveen Agarwal <nagarwal@yahoo-inc.com>
CC: "'Thomas Roessler'" <tlr@w3.org>, public-usable-authentication@w3.org, Research on current Internet anti-fraud techniques <anti-fraud@lists.cacert.org>
Message-ID: <4507A2D6.1000204@cs.biu.ac.il>

Naveen: I wish to congratulate you on the Yahoo! tool. It is a simple, 
useful indicator.

Our experiments show a significant advantage to user-customized 
indicators like yours, and they are also more robust to fake internal 
window (PIP) attacks. BTW, in our experiment, we clarified to users the 
distinction between the content area and the chrome area (in terms of 
trust), and still had very high (37%) spoof rate using `classical` 
browser indicators. So I don't think user's lack of sufficient attention 
to the chrome areas is due (only) to lack of understanding. Better 
indicators can help a lot (although I think we can and should do even 
more than indicators).

We are now working on a much larger experiment and may include 
Yahoo-like indicator. Anybody interested in cooperating in the 
experiment, please contact me.

We present our existing experiment results in:

    *Security and Identification Indicators for Browsers against
    Spoofing and Phishing Attacks* 
    /Amir Herzberg and Ahmad Gbara/
available at http://eprint.iacr.org/2004/155.

I also recently posted another article, reviewing the basic problems and 
some solutions, including some details of the registry solutions I'm 
advocating (certificate registry and content registry):
*Browsers Defenses Against Phishing, Spoofing and Malware*, available at 
http://eprint.iacr.org/2006/083

Comments welcome.

Best, Amir*
*

Naveen Agarwal wrote:
> Some of you may have already seen this. Yahoo! has implemented very 
> easy to use a sign-in seal to help users recognize a genuine Y! login 
> page. The seal is not tied to any user but to the browser/PC and to 
> set it up a user doesn't need to enter any username/password either. 
> With a personal picture it is very easy to recognize and use and there 
> are no extra steps to perform when doing a login i.e. the login flow 
> remains as simple as it is today.
>  
> https://protect.login.yahoo.com/
>  
> Thanks
>  
> Naveen
>
> * From: * public-usable-authentication-request@w3.org 
> [mailto:public-usable-authentication-request@w3.org] *On Behalf Of 
> *Mary Ellen Zurko
> *Sent:* Monday, September 11, 2006 9:59 AM
> *To:* Thomas Roessler
> *Cc:* public-usable-authentication@w3.org
> *Subject:* Re: Status Update on W3C Security Work
>
>  
>
>
> This story seems timely.  If consumers are going to hold institutions 
> accountable for phishing losses, institutions are going to demand an 
> infrastructure that they reasonable use to thwart phishing attacks.
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
> http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html 
>
>

Received on Wednesday, 13 September 2006 06:25:06 UTC