The Harvard/MIT study of Bank of America's web site security, including SiteKey system and SSL certificate verification (see New York Times and Slashdot), tackles the problem of real users using real websites to see how they respond to the authentication protocols. The security, for the most part, failed the users, with the researchers citing difficulties in testing the usability of these controls.
Slashdot comments, as expected, complain about the intractability of the Trainables in their charge, diminishing the argument to "Users == Lusers."
I couldn't find a fleshy threat model in the study's methodology. The subjects (recruited from Harvard Yard) were asked to log on to the bank's legitimate website on a university computer under the guise of testing usability. Meanwhile, the researchers played pranks on their browsers, causing it to display incorrect information regarding SiteKey and SSL certificates. It seems to me that the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack. My understanding of published incidents is that phishing generally originates with a convincingly deceptive e-mail containing a link to a phony banking site, or through a keystroke logger. A more interesting question for me would be "Would the users pay more attention to the security clues if they were following an e-mail link?" The common credential collection trojan appears to be outside the scope of the research.
Since Harvard students should probably pride themselves on not being representative of the populace as a whole, I can't see that there's a tremendous amount that can be taken from this research. The approach seems more like an episode of "Punk'd" (even though I've never watched it) or "Candid Camera" (which I have) or the Jim Coyle/Mel Sharpe stuff (which I love, but no link! I'm shocked!). Is there a difference between a drawing a valid audit (or research) conclusion and just giving a Muntz-esque "Ha Ha" followed by a "Stop hitting yourself"?
Monday, February 5, 2007
Posted by Dutcher Stiles at 3:43 PM