For years now, security advocates have been promoting a model in which sensitive information providers (such as banks, mortgage houses, any kind of social-security driven data, etc) use stronger authentication measures than a simple username and password and additionally integrate visual cues to help users make sure the site they are entering their information in is the real site. One such implementation of this authentication method is called SiteKey. SiteKey uses a combination of a custom phrase and an image that a user selects from a gallery to ostensibly verify to the end user that the site they are logging into is, in fact, the legitimate endpoint the customer wants. Researchers at MIT have undertaken a study and proven conclusively (albeit with a limited data set) that most mainstream users will find this protection ineffective because they will not pay attention to whether these visual cues are present.
Personally, this rather confirms my personal view on security: Security measures are only as good as the understanding and appreciation a user applies to them.
The Emperor's New Security Indicators
MIT - The Emperor's New Security Indicators
NY Times - Study finds Web Antifraud Measure Ineffective
The Study - For those who don't have the time to read the whole thing.
This excerpt is taken from the abstract provided at the above link - a basic summary of the full report:
"We evaluate website authentication measures that are designed to protect users from man-in-the-middle, "phishing", and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicators. Next, we removed the participant's site-authentication image---the customer-selected image that many websites now expect their users to verify before entering their passwords. Finally, we replaced the bank's login page with a warning page. After each clue, we measured whether participants entered their passwords or withheld them.
We also investigate how a study's design affects participant behavior: we asked some participants to play a role and others to use their own accounts and passwords. We also presented some participants with security-focused instructions.
We confirm prior findings that users ignore HTTPS indicators: no participants withheld their passwords when these indicators were removed. We present the first empirical investigation of site-authentication images, and we find them to be ineffective: even when we removed them, 92% participants who used their own accounts entered their passwords. We also contribute the first empirical evidence that role playing affects participants' security behavior: role-playing participants behaved significantly less securely than those using their own passwords."
Boiling it Down
My own brief synopsis for those who want to spend even less time reading:
HTTPS Cues Removed - 100% Attack Success (63/63)
Site Authentication Removed - 97% Attack Success (58/60)
Warning Page Presented - 53% Attack Success (30/57)
The "phished" site was actually the Bank of America customer login. The SiteKey login system tested in this research report is also being implemented on several other large banks and financial institutions including Countrywide home loans.
User Error
This is the first empirical evidence that two-way authentication using shared secrets (the user identifying with a username and authenticating via a password, the server authenticating its identity with the image and phrase the user selected) is an ineffective safeguard against phishing attacks. Further, the fact that more than half of the studied users would continue to enter sensitive banking information despite being presented with a warning page admonishing that "there is a problem with this website's security certificate" speaks strongly to the propensity that mainstream users have to ignoring non-integral security protection. I would submit that a security protection method that integrated authentication by its very nature (such as RSA SecureIDs) would be a much more efficient safeguard for anti-phishing protection.
I would further point out that although this study points out that the end user is usually unaware of SSL identification clues such as the color of the address bar, a lock symbol, et al, the inherent connection protection present in the SSL encrypted tunneling against man-in-the-middle attacks as well as the increasingly visible cues and warnings in the latest editions of most major browsers (and particularly MSIE7) would provide a case that user recognition should escalate over time as interface reference is better understood by the mainstream browsing audience.
Measures such as RSA's SecureID keyfobs and certificate-based smartcards introduce logistical problems (loss/theft) and escalate security costs but all-but-remove the user from security of their account. Using third party tokens of this nature changes the paradigm of the security login. In the case of the keyfob, a combination of serial number and passkey could be phished but would limit the potential attack window to a mere 60 seconds before the algorithm changes the valid login key. In the case of a smart card, although the authenticating user's credentials can be detected in building an SSL session, the private key contained on the smart card is never sent over the wire owing to the inherent structure of asymmetric connection encryption and thus remains secure and unavailable to phishers.
Some argument could be made that implementing a what-you-have factor of authentication allows phishing via low-tech theft of the token but I would submit that this is of no more impact than the loss or theft of a credit card would be today and similar procedures could be implemented for revocation and re-issuance. Further, this threat could be mitigated by combining the token-based approach with the current password implementations of today's websites. A smartcard with certificates issued by a fully integrated enterprise PKI infrastructure at the bank would be relatively easy (although not inexpensive) to implement into banking portals. (On a personal note, I would be willing to pay an additional $5 or $10 for secured access to a SmartCard integrated banking portal at my bank.)
Users are the Weakest Link
As always, in the end, any implementation of website security protection that relies solely on a secret that the user knows will always be forced to rely on the understanding and awareness that the end-user has in recognizing and protecting themselves against dangerous situations. Until banks and other purveyors of sensitive data are willing to recognize that the cost of security breaches far outweighs the potential cost of a token issuance system, I would expect to see more of these negative reports on the imposed security of shared secret systems in the future.