RE: Study Finds Security Flaws on Web Sites of Major Banks - New York Times (http://www.nytimes.com/2007/02/05/technology/05secure.html?_r=1&th=&oref=s login&emc=th&pagewanted=print) from Close, Tyler J. on 2007-02-05 (public-wsc-wg@w3.org from February 2007)

From: Close, Tyler J. <tyler.close@hp.com>
Date: Mon, 5 Feb 2007 14:07:40 -0600
To: <public-wsc-wg@w3.org>
Message-ID: <08CA2245AFCF444DB3AC415E47CC40AF7174C3@G3W0072.americas.hpqcorp.net>

I've just finished reading this paper. It's really very good.
Congratulations to Stewart and Rachna on the excellent work.

The study results from showing the IE7 warning page to the group using
their own online banking account, are particularly sobering. My takeaway
from that result is that when offered the choice between "give up and go
away", or "proceed into danger", a significant number of users will
decide there's only one option: "proceed into danger". We should keep
this in mind when creating our recommendations. We need to provide an
explicitly stated and more attractive option.

That a third of the participants using their own account proceeded past
the warning page also points to another problem I think. We have a
marketplace in which users bear a small fraction of the cost of online
fraud against their own account. Credit cards have specific and low
limits on liability. Many banks and stock trading sites offer to make
the customer whole on any fraud losses. In this environment, I suspect
many users take the approach that they will proceed with their task no
matter what and rely on these safety nets if there are any problems. My
own informal polling of a few users bears out this hypothesis. Did your
post-study interviews shed any light on this issue? If this hypothesis
is true, I think it creates a non-trivial built-in failure rate for any
security information presentation this WG recommends.

Tyler


> -----Original Message-----
> From: public-wsc-wg-request@w3.org 
> [mailto:public-wsc-wg-request@w3.org] On Behalf Of Stuart E. Schechter
> Sent: Monday, February 05, 2007 10:39 AM
> To: Mary Ellen Zurko; public-wsc-wg@w3.org
> Cc: Rachna Dhamija
> Subject: Re: Study Finds Security Flaws on Web Sites of Major 
> Banks - New York Times 
> (http://www.nytimes.com/2007/02/05/technology/05secure.html?_r
> =1&th=&oref=s login&emc=th&pagewanted=print)
> 
> 
> Mez: 
> 
> Thanks for the plug.  The paper is now publicly available from:
> 
>    <http://usablesecurity.org/emperor/?ref=w3c>
> 
> Cheers
> 
> Stuart
> 
> 
> 
>

Received on Monday, 5 February 2007 20:07:55 UTC