"The Emperor's New Security Indicators"

http://www.usablesecurity.org/emperor/emperor.pdf


Abstract
We evaluate website authentication measures that are
designed to protect users from man-in-the-middle, 'phishing',
and other site forgery attacks. We asked 67 bank
customers to conduct common online banking tasks. Each
time they logged in, we presented increasingly alarming
clues that their connection was insecure. First, we removed
HTTPS indicators. Next, we removed the participant's
site-authentication image-the customer-selected
image that many websites now expect their users to verify
before entering their passwords. Finally, we replaced
the bank's password-entry page with a warning page. After
each clue, we determined whether participants entered
their passwords or withheld them.
We also investigate how a study's design affects participant
behavior: we asked some participants to play a role
and others to use their own accounts and passwords. We
also presented some participants with security-focused instructions.
We confirm prior findings that users ignore HTTPS indicators:
no participants withheld their passwords when
these indicators were removed. We present the first empirical
investigation of site-authentication images, and we find
them to be ineffective: even when we removed them, 23 of
the 25 (92%) participants who used their own accounts entered
their passwords. We also contribute the first empirical
evidence that role playing affects participants' security behavior:
role-playing participants behaved significantly less
securely than those using their own passwords.

Received on Thursday, 12 April 2007 23:03:45 UTC