Mohammad Mannan
P. C. van Oorschot
ABSTRACT
Online banking is one of the most sensitive tasks performed by general Internet users. Most traditional banks now offer online banking services, and strongly encourage customers to do online banking with 'peace of mind.' Although banks heavily advertise an apparent '100% online security guarantee,' typically the fine print makes this conditional on users fulfilling certain security requirements. We examine some of these requirements as set by major Canadian banks, in terms of security and usability. We opened personal checking accounts at the five largest Canadian banks, and one online-only bank. We found that many security requirements are too difficult for regular users to follow, and believe that some marketing-related messages about safety and security actually mislead users. We are also interested in what kind of computer systems people really use for online banking, and whether users satisfy common online banking requirements. Our survey of 123 technically advanced users from a university environment strongly supports our view of an emerging gap between banks' expectations (or at least what their written customer policy agreements imply) and users' actions related to security requirements of online banking. Our participants, being more security-aware than the general population, arguably makes our results best-case regarding what can be expected from regular users. Yet most participants failed to satisfy common security requirements, implying most online banking customers do not (or cannot) follow banks' stated end-user security requirements and guidelines. The survey also sheds light on the security settings of systems used for sensitive online transactions. This work is intended to spur a discussion on real-world system security and user responsibilities, in a scenario where everyday users are heavily encouraged to perform critical tasks over the Internet, despite the continuing absence of appropriate tools to do so.
- A. Adams and M. A. Sasse. Users are not the enemy. Comm. of the ACM, 42(12), 1999. Google Scholar
Digital Library
- J. Aitel. The IPO of the 0day: Stock fluctuation from an unrecognized influence. In Symposium on Security for Asia Network (SyScan), 2007. Keynote address.Google Scholar
- ArsTechnica.com. Half of Americans clueless about online threats. News article (Aug. 14, 2007).Google Scholar
- J. Aycock and N. Friess. Spam zombies from outer space. In EICAR, 2006.Google Scholar
- BBC News. Malware 'hijacks Windows Updates'. News article (May 16, 2007).Google Scholar
- A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: Disappointments and new challenges. In USENIX Workshop on Hot Topics in Security (HotSec), 2006. Google ScholarDigital Library
- J. Benamati, M. A. Serva, and M. A. Fuller. Are trust and distrust distinct constructs? An empirical study of the effects of trust and distrust among online banking users. In IEEE Hawaii International Conference on System Sciences, 2006. Google ScholarDigital Library
- Beskerming.com. How the online trust model is broken - the BankOfIndia.com attack. News article (Aug. 31, 2007).Google Scholar
- M. Bishop. Psychological acceptability revisited. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.Google Scholar
- J. Blascovich. Mind games: A psychological analysis of common email scams. McAfee Avert Labs white paper (June 25, 2007). http://www.mcafee.com/us/local_content/white_papers/wp_mind_games_en.pdf.Google Scholar
- CA Virus Information Center. Win32.Grams.I, Feb. 2005. http://www3.ca.com.Google Scholar
- W. Chung and J. Paynter. An evaluation of Internet banking in New Zealand. In IEEE Hawaii International Conference on System Sciences, 2002. Google ScholarDigital Library
- CNET.com. TJX says 45.7 million customer records were compromised. News article (Mar. 29, 2007).Google Scholar
- Commtouch.com. Malware outbreak trend report: Storm-Worm. Online article (Jan. 31, 2007). http://www.commtouch.com/downloads/Storm-Worm_MOTR.pdf.Google Scholar
- ComputerWorld.com. Symantec false positive cripples thousands of Chinese PCs. News article (May 18, '07).Google Scholar
- Consumeraffairs.com. Consumers losing confidence in online commerce, banking. News article (June 28, '05).Google Scholar
- DarkReading.com. Antivirus tools underperform when tested in LinuxWorld 'Fight Club'. News article (Aug. 9, 2007).Google Scholar
- D. Davis. Compliance defects in public-key cryptography. In USENIX Security Symposium, 1996. Google ScholarDigital Library
- R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In CHI, 2006. Google ScholarDigital Library
- J. S. Downs, M. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In SOUPS, 2006. Google ScholarDigital Library
- K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter. The use of attack and protection trees to analyze security for an online banking system. In IEEE Hawaii International Conference on System Sciences, 2007. Google ScholarDigital Library
- Entrust.com. Katrina scams show browser security model is broken. Entrust blog (Sep. 9, 2005).Google Scholar
- eWeek.com. Microsoft patches causing breakages, lockups. News article (Apr. 17, 2006).Google Scholar
- eWeek.com. Microsoft says recovery from malware becoming impossible. News article (Apr. 4, 2006).Google Scholar
- D. Florêncio and C. Herley. A large-scale study of web password habits. In World Wide Web (WWW), 2007. Google ScholarDigital Library
- S. Gaw and E. W. Felten. Password management strategies for online accounts. In SOUPS, 2006. Google ScholarDigital Library
- R. L. Glass. Patching is alive and, lamentably, thriving in the real-time world. ACM SIGPLAN Notices, 13(3), 1978. Google ScholarDigital Library
- Globe and Mail. globeandmail.com: Mary Kirwan. News article (Nov. 16, 2006). http://www.theglobeandmail.com/servlet/story/RTGAM.20061116.gtkirwan1116/BNStory/Technology/home.Google Scholar
- S. J. Greenwald, K. G. Olthoff, V. Raskin, and W. Ruch. The user non-acceptance paradigm: INFOSEC's dirty little secret. In New Security Paradigms Workshop (NSPW), 2004. Google ScholarDigital Library
- J. Grossklags and N. Good. Empirical studies on software notices to inform policy makers and usability designers. In Workshop on Usable Security (USEC), 2007. Google ScholarDigital Library
- J. Heasman. Implementing and detecting a PCI rootkit. White paper (Nov. 15, 2006). http://www.ngssoftware.com.Google Scholar
- M. Hertzum, N. Jørgense, and M. Nørgaar. Usable security and e-banking: Ease of use vis-à-vis security. Australasian Journal of Information Systems, 11, 2004.Google Scholar
- A. Herzogl and N. Shahmehri. Usability and security of personal firewalls. In IFIP Security Conference, 2007.Google Scholar
- C. Jackson, D. Simon, D. Tan, and A. Barth. An evaluation of Extended Validation and picture-in-picture phishing attacks. In Workshop on Usable Security (USEC), 2007. Google ScholarDigital Library
- N. Jin and M. Fei-Cheng. Network security risks in online banking. In IEEE Wireless Communications, Networking and Mobile Computing, 2005.Google Scholar
- M. E. Johnson and S. Dynes. Inadvertent disclosure -- information leaks in the extended enterprise. In Workshop on the Economics of Information Security (WEIS), 2007.Google Scholar
- M. Just. Designing secure yet usable challenge question authentication systems. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.Google Scholar
- H. Karjaluoto, T. Koivumäki, and J. Salo. Individual differences in private banking: Empirical evidence from Finland. In IEEE Hawaii International Conference on System Sciences, 2003.Google ScholarCross Ref
- Kaspersky.com. Malicious mass mailing sent using McAfee email address. Virus News (Nov. 2, 2006).Google Scholar
- Keynote.com. Online banking critical to bank selection and brand perception. Press release (Jan. 6, 2005).Google Scholar
- S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- MacDevCenter.com. How Paris got hacked? News article (Feb. 22, 2005).Google Scholar
- McAfee and National Cyber Security Alliance (NCSA). McAfee-NCSA online safety study, Oct. 2007.Google Scholar
- Microsoft. Password checker. http://www.microsoft.com/athome/security/privacy/password_checker.mspx.Google Scholar
- Microsoft Support. Detailed installation walkthrough for Windows XP Service Pack 2. http://support.microsoft.com.Google Scholar
- J. Milletary. Technical trends in phishing attacks. US-CERT, Reading room article, http://www.us-cert.gov.Google Scholar
- National Post. Watchdog pushed CIBC on lost file. News article (Jan. 26, 2007). http://www.canada.com.Google Scholar
- Netcraft.com. Bank, customers spar over phishing losses. News article (Sep. 13, 2006).Google Scholar
- Netcraft.com. More than 450 phishing attacks used SSL in 2005. News article (Dec. 28, 2005).Google Scholar
- Netcraft.com. MySpace accounts compromised by phishers. News article (Oct. 27, 2006).Google Scholar
- New Zealand Bankers' Association (NZBA). Code of banking practice. Fourth Edition (July, 2007).Google Scholar
- M. Nilsson, A. Adams, and S. Herd. Building security and trust in online banking (extended abstracts). In CHI, 2005. Google ScholarDigital Library
- C. Nodder. Users and trust: A Microsoft case study. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.Google Scholar
- Office of the Privacy Commissioner of Canada. Guidelines for identification and authentication, Oct. 2006. http://www.privcom.gc.ca/information/guide/auth_061013_e.asp.Google Scholar
- B. Parno, C. Kuo, and A. Perrig. Phoolproof phishing prevention. In Financial Cryptography (FC), 2006. Google ScholarDigital Library
- J. Rutkowska. Introducing Blue Pill, June 2006. Presented at SyScan Conference.Google Scholar
- SANS Institute Internet Storm Center. Windows XP: Surviving the first day, Nov. 2003.Google Scholar
- SANS Internet Storm Center. Fake microsoft patch email -> fake spyware doctor! Handler's diary (June 26, 2007).Google Scholar
- SANS Internet Storm Center. Symantec false-positive on Filezilla, NASA World Wind. Handler's diary (July 16, 2007).Google Scholar
- M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology, 19(3), 2001. Google ScholarDigital Library
- M. A. Sasse and I. Flechais. Usable security: Why do we need it? how do we get it? In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.Google Scholar
- scanit.be. Browser security test: A year of bugs, 2004. http://bcheck.scanit.be.Google Scholar
- B. Schneier. The curse of the secret question. Blog (Feb. 11, 2005), http://www.schneier.com.Google Scholar
- SecurityFocus.com. Bot spreads through antivirus, Windows flaws. News article (Nov. 28, 2006).Google Scholar
- A. Shipp. Targeted trojan attacks and industrial espionage. In Virus Bulletin Conference (VB), 2006.Google Scholar
- Silicon.com. Banks must boost security to drive online banking. Forrester Research News article (Mar. 29, 2005).Google Scholar
- A. Singer. Life without firewalls. ;login: The USENIX Magazine, 28(6), 2003.Google Scholar
- S. Singh. The social dimensions of the security of Internet banking. Journal of Theoretical and Applied Electronic Commerce Research, 1(2), 2006. Google ScholarDigital Library
- Statistics Canada. Canadian Internet Use Survey 2005, Aug. 2006. http://www.statcan.ca.Google Scholar
- M. Tulloch. Resolving Windows XP SP2 -- related application compatibility problems. Microsoft article on using XP.Google Scholar
- M. Vea. 2006 Operating System vulnerability summary. Online article published at OmniNerd.com (Mar. 26, 2007).Google Scholar
- C. Wharton, J. Rieman, C. Lewis, and P. Polson. The cognitive walkthrough method: A practitioner's guide. In "Usability inspection methods," John Wiley&Sons, Inc., 1994. Google ScholarDigital Library
- A. Whitten and J. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In USENIX Security Symposium, 1999. Google ScholarDigital Library
- WindowsSecrets.com. Microsoft, McAfee, Symantec charge cards repeatedly. News article (May 17, 2007).Google Scholar
- M. Wu, R. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks. In CHI, 2006. Google ScholarDigital Library
- J. J. Yan. A note on proactive password checking. In New Security Paradigm Workshop (NSPW), 2001. Google ScholarDigital Library
- ZDNet.com. Security tools face increased attack. News article based on Yankee Group report (June 20, 2005).Google Scholar
- ZDNet.com.au. Eighty percent of new malware defeats antivirus. News article (July 19, 2006).Google Scholar
- Y. Zhang, S. Egelman, L. F. Cranor, and J. Hong. Phinding phish: An evaluation of anti-phishing toolbars. In Annual Network and Distributed System Security Symposium (NDSS), 2007.Google Scholar
- M. E. Zurko. User-centered security: Stepping up to the grand challenge. In ACSAC, 2005. Invited essay. Google ScholarDigital Library
- M. E. Zurko and R. T. Simon. User-centered security. In New Security Paradigms Workshop (NSPW), 1996. Google ScholarDigital Library
- M. Zviran and W. J. Haga. Cognitive passwords: the key to easy access control. Computers&Security, 9(9), 1990. Google ScholarDigital Library
Index Terms
- Security and usability: the gap in real-world online banking
Recommendations
A Survey of Authentication and Communications Security in Online Banking
A survey was conducted to provide a state of the art of online banking authentication and communications security implementations. Between global regions the applied (single or multifactor) authentication schemes differ greatly, as well as the security ...
Integrating security and usability into the requirements and design process
According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing ...
Elicitation of Security requirements for E-Health system by applying Model Oriented Security Requirements Engineering (MOSRE) Framework
CCSEIT '12: Proceedings of the Second International Conference on Computational Science, Engineering and Information TechnologyE-health is a health care system which is supported by electronic process and communication. The information that is kept in the system must be accurate. In case of false information, it may cause harm to human life. So this system needs more security ...
Comments