Speaker: Rachna Dhamija, Harvard University
Title: The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies
Abstract:
In this talk, I will present the results of a usability study of
new website authentication measures designed to protect users from
"phishing" and other site forgery attacks. We asked 67 bank customers to
conduct common online banking tasks. Each time they logged in, we presented
increasingly alarming clues that their connection was insecure. First, we
removed HTTPS indicators. Next, we removed the participant's
site-authentication image---the customer-selected image that users should
verify before entering their passwords. Finally, we replaced the bank's
login page with a warning page. After each clue, we measured whether
participants entered their passwords or withheld them.
We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role-playing affects participants' security behavior in usability studies: those who played a role behaved significantly less securely than those who used their own passwords.