30 April, 2009 § Leave a comment
I just read a paper written in 2006 about why phishing works. Some of the notable comments in it come from participants in the usability study that was done:
From users who looked at security indicators in website content only:
“I never look at the numbers and letters up there [in the address bar]. I’m not sure what they are supposed to say.”
From users who looked at content and domain name only:
Many did not know what an IP address was, they referred to one as a “redirector address”, a “router number”, “ISP number”, “those number thingies in front of the name.”
From users who looked at all of the above and also for HTTPS in the address:
- One never noticed the padlock in the browser chrome.
- One stated that favicons in address bars indicate authenticity better than a padlock because they “cannot be copied.”
From users who looked for a padlock icon:
Some participants gave more credence to padlock icons that appeared within the content of the page as opposed to the browser chrome.
Other notes from the reading:
One user mentioned that she verifies the authenticity of a website by trying to log in to the website and seeing if it will work. She said,
What’s the harm? Passwords are not dangerous to give out, like financial information.
One of the last tests had the users look at a phishing site that was a direct copy of a real site. The site included an animated graphic of a bear and produced the following responses:
- The “cute” design was a convincing factor of a legitimate website.
- Two participants specifically mentioned the bear graphic, “because that would take a lot of effort to copy”.
Many found the animation appealing and reloaded the page multiple times just to see the animation again.
And the last, but not least. When encountering a website with an invalid SSL certificate, the users accepted it and had these quotes:
Interesting quotes. I’m not sure how to deal with solving this problem. One solution could be to understand what users assume to be secure and simply design towards that.