Harvard and MIT Researchers…?
February 5th, 2007 | by john |I saw an article on Slashdot today which lead me to an NY Times article titled Study Finds Web Antifraud Measure Ineffective. In the article, an experiment was conducted where the researchers brought 67 Bank of America customers in Boston and asked them to conduct day-to-day online banking activities. To give you a background, Bank of America's online banking site uses SiteKey, a simple yet padded layer of authentication for its users. The idea is that you select an image to represent your account as a visual key so that you know the site that you are logging into is the legitimate site and not some phishing site before you enter in your password to log in. Here's a snippet from the article that best summarizes the study:
The premise is that site-authentication images increase security because customers will not enter their passwords if they do not see the correct image,” … “From the study we learned that the premise is right less than 10 percent of the time… He added: “If a bank were to ask me if they should deploy it, I would say no, wait for something better,” he said.
… the study demonstrated that site-authentication images are fundamentally flawed and, worse, might actually detract from security by giving users a false sense of confidence.
The study found that 60 out of the 67 subjects in their experiment still entered in their password even when the experimentation website did not display a sitekey at all. Apparently, from this result, the researchers concluded that features like sitekey only gives everyone a 'false sense of confidence' because their experimental subjects neglected the security layer altogether.
Now, I certainly hope that I am not the only one here that can't make logical sense of how they went from result to conclusion. Not to take any credit away from these researchers but by completely neglecting their conclusion and focusing on the results, the conclusion I make for myself is that people don't understand the risk of neglecting security measures such as this. I think that instead of degrading such features and recommending institutions to "wait for something better," researchers either need to find how best to make people aware of security risks and/or find that "something better" that will resolve this issue altogether (if there is such a thing). It is as if the study was about one problem with two variables but on the other side of the equation, the 'solution' only refers to a single variable. Meaning? It's not a flaw in such systems, it's a flaw of human judgment.
Arguably, let's adopt the conclusion of the experiment. From that, we can generalize that any security scheme that is dependent on a human being is flawed because… well, because of the human inability to make absolutely correct judgments. So for example, PIN numbers and passwords are all flawed because people give them away while being victimized in a phishing scheme. Likewise, the idea of ATM cards is flawed because people get them stolen. A bit far-fetched but theoretically, a 256-bit RSA encryption scheme is flawed because it can be decrypted by an intellect (artificial or not) eventually as time approaches infinity.
I wonder how many man hours and money was spent carrying out and studying this experiment. Certainly, all those resources could have been better spent on research into how security can be improved and not to undermine a measure to thwart phishing. I would consider this experiment incomplete until "something better" comes out of it.
In other news, tomorrow, we're probably going to see the result of a study that concludes that the idea of cars is flawed because humans who drive them cause accidents. So everyone should walk while twiddling their thumbs until "something better" comes along.
