Monday, February 5, 2007

Testing the User or Phunk'd

The Harvard/MIT study of Bank of America's web site security, including SiteKey system and SSL certificate verification (see New York Times and Slashdot), tackles the problem of real users using real websites to see how they respond to the authentication protocols. The security, for the most part, failed the users, with the researchers citing difficulties in testing the usability of these controls.

Slashdot comments, as expected, complain about the intractability of the Trainables in their charge, diminishing the argument to "Users == Lusers."

I couldn't find a fleshy threat model in the study's methodology. The subjects (recruited from Harvard Yard) were asked to log on to the bank's legitimate website on a university computer under the guise of testing usability. Meanwhile, the researchers played pranks on their browsers, causing it to display incorrect information regarding SiteKey and SSL certificates. It seems to me that the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack. My understanding of published incidents is that phishing generally originates with a convincingly deceptive e-mail containing a link to a phony banking site, or through a keystroke logger. A more interesting question for me would be "Would the users pay more attention to the security clues if they were following an e-mail link?" The common credential collection trojan appears to be outside the scope of the research.

Since Harvard students should probably pride themselves on not being representative of the populace as a whole, I can't see that there's a tremendous amount that can be taken from this research. The approach seems more like an episode of "Punk'd" (even though I've never watched it) or "Candid Camera" (which I have) or the Jim Coyle/Mel Sharpe stuff (which I love, but no link! I'm shocked!). Is there a difference between a drawing a valid audit (or research) conclusion and just giving a Muntz-esque "Ha Ha" followed by a "Stop hitting yourself"?


Alex said...

Hi Dutcher - Love the site.

You know, you hit on exactly what my problem with this study is:

the researchers were solving for a very narrow set of threats, primarily a man-in-the-middle or a DNS spoofing attack.

It also assumes that there are no other authentication controls in place (like Cyota, for example) and that if I had phished your username and password, BoA (or any other bank) wouldn't be able to lock me out because I couldn't guess your special picture or what have you...

Now I understand that "usable security" is a new hot topic and all, but is it THAT important? Usable security begs the question - out of the supposed 600 million Internet users, are we to assume that the majority of them are capable of being educated about security concepts beyond looking for the "lock symbol"?

Dutcher Stiles said...

Thanks, Alex. Enjoy your site - thanks for opening up y'alls methodology.

I remember seeing Dan Kaminsky predict the end of online banking in five years at Defcon 13 , so I guess we have a couple left.
I don't know how long the banks can keep up the arms race against the phishermen. Is there any future for the current authn/authz architecture?

Best results may come from tossing it all away and starting fresh.