RE: Experiments support for user-customized indicators such as Yahoo'snew tool from Naveen Agarwal on 2006-09-13 (public-usable-authentication@w3.org from September 2006)

From: Naveen Agarwal <nagarwal@yahoo-inc.com>
Date: Wed, 13 Sep 2006 00:06:25 -0700
To: "'Amir Herzberg'" <herzbea@macs.biu.ac.il>
Cc: <public-usable-authentication@w3.org>, "'Research on current Internet anti-fraud techniques'" <anti-fraud@lists.cacert.org>
Message-ID: <02bf01c6d703$207ca070$bdcf15ac@ds.corp.yahoo.com>

Thanks Amir.

One challenge we face is that users are so programmed to entering username
and password on a login page, that as soon as they see something that looks
like a login page, they start typing and hit the enter. And while the page
is being submitted to the server, they look at anything else (URL, chrome).
I have had a few of my friends phished this way who did realize (that they
were phished) just at the same time they hit enter. So anything in a chrome
will almost fails to stop the attack in a simple web form that is used very
often. So it was very important to us to have the indicator as close to the
login field as possible. I think the chrome indicators may be more useful
when credit card and other information is being requested as more users will
try to be a bit more careful.

I'm sure everyone will agree that personalized indicators (your own selected
picture) catch your attention much better than something you may have to
select.

So far the feedback from our users have been really positive.

Thanks

Naveen

-----Original Message-----
From: public-usable-authentication-request@w3.org
[mailto:public-usable-authentication-request@w3.org] On Behalf Of Amir
Herzberg
Sent: Tuesday, September 12, 2006 11:19 PM
To: Naveen Agarwal
Cc: 'Thomas Roessler'; public-usable-authentication@w3.org; Research on
current Internet anti-fraud techniques
Subject: Experiments support for user-customized indicators such as
Yahoo'snew tool

Naveen: I wish to congratulate you on the Yahoo! tool. It is a simple, 
useful indicator.

Our experiments show a significant advantage to user-customized 
indicators like yours, and they are also more robust to fake internal 
window (PIP) attacks. BTW, in our experiment, we clarified to users the 
distinction between the content area and the chrome area (in terms of 
trust), and still had very high (37%) spoof rate using `classical` 
browser indicators. So I don't think user's lack of sufficient attention 
to the chrome areas is due (only) to lack of understanding. Better 
indicators can help a lot (although I think we can and should do even 
more than indicators).

We are now working on a much larger experiment and may include 
Yahoo-like indicator. Anybody interested in cooperating in the 
experiment, please contact me.

We present our existing experiment results in:

    *Security and Identification Indicators for Browsers against
    Spoofing and Phishing Attacks* 
    /Amir Herzberg and Ahmad Gbara/
available at http://eprint.iacr.org/2004/155.

I also recently posted another article, reviewing the basic problems and 
some solutions, including some details of the registry solutions I'm 
advocating (certificate registry and content registry):
*Browsers Defenses Against Phishing, Spoofing and Malware*, available at 
http://eprint.iacr.org/2006/083

Comments welcome.

Best, Amir*
*

Naveen Agarwal wrote:
> Some of you may have already seen this. Yahoo! has implemented very 
> easy to use a sign-in seal to help users recognize a genuine Y! login 
> page. The seal is not tied to any user but to the browser/PC and to 
> set it up a user doesn't need to enter any username/password either. 
> With a personal picture it is very easy to recognize and use and there 
> are no extra steps to perform when doing a login i.e. the login flow 
> remains as simple as it is today.
>  
> https://protect.login.yahoo.com/
>  
> Thanks
>  
> Naveen
>
> * From: * public-usable-authentication-request@w3.org 
> [mailto:public-usable-authentication-request@w3.org] *On Behalf Of 
> *Mary Ellen Zurko
> *Sent:* Monday, September 11, 2006 9:59 AM
> *To:* Thomas Roessler
> *Cc:* public-usable-authentication@w3.org
> *Subject:* Re: Status Update on W3C Security Work
>
>  
>
>
> This story seems timely.  If consumers are going to hold institutions 
> accountable for phishing losses, institutions are going to demand an 
> infrastructure that they reasonable use to thwart phishing attacks.
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.h
tml 
>
>

Received on Wednesday, 13 September 2006 07:08:03 UTC