1st TIPPI Workshop

Trustworthy Interfaces for Passwords and Personal Information

Speaker: Min Wu,    MIT Computer Science and Artificial Intelligence Lab.

Title: Users are not dependable - how to make security indicators to better protect them

Users have long been recognized as "the weakest link" in operational security systems. Not surprisingly, an increasing number of attacks target this weak link directly. If attackers can easily trick users into taking critical tasks that will compromise their security, they do not have to try hard to directly attack the system. One prevention scheme that has been proposed is a security indicator - such as a web browser plug-in - that visually instructs users whether or not the current safe is trustworthy, and thus whether or not it is safe to take critical actions. We have performed two user studies to test this prevention scheme.

One user study was to test if a security toolbar in a web browser is effective to prevent phishing attacks. The security toolbar displays security information about the website. Even though the phishing attackers can fake web pages displayed in a browser, it is hard for them to fake the security information inside the toolbar. However, users in the study were tricked by simulated phishing attacks into revealing their username and password 34% of the time. What's more, none of the users even had their suspicions raised.

The other user study was to test our new authentication mechanism for logging into web sites through a public Internet terminal with a cell phone. Each loin attempt was associated with a unique randomly generated session name, which was displayed both in the terminal's web browser and on the user's cell phone. Users allowed a login attempt from the browser by approving the corresponding session name on their phone. In the study simulated attacks can present a different session name on the phone. Users erroneously approved the attacker's session name 30% of the time without checking their session name in the browser. As a result, they allowed the attacker to log into their accounts.

We conclude that the security indicator checking scheme does not work because it can not directly prevent users from taking critical actions under attacks. Some users tend to ignore the indicator because constantly checking it needs extra effort. Other users do not believe the indicator's presence under attacks and apply their own explanations to its presence such as system bugs or poorly designed websites.

A promising approach was shown by the second part of the cell phone authentication user study. The cell phone interface was redesigned so that instead of simply approving a session name users were obliged to choose the session name from a short list of choices. Even though the attacker can still present his list of choices on the phone, there was little chance that his list included the user's session name in the browser. Under attacks, users cannot choose any session name from the list except to drop the current login attempt. As a result, the spoof rate dropped to zero. By integrating the security indicator into the user's critical actions, the new design forces users to attend to the security indicator and prevents them from rationalizing away the indicator's presence.

This is joint work with Simson Garfinkel and Rob Miller.

Back to TIPPI workshop page