Study Finds IE7 + EV SSL Won't Stop Phishing

An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued."

Protect your information

[jmagar.com]

The best thing you can do is never give out your information. Protect it like you're a secret agent. Protect it against torturous interrogation. Protect it to point of taking that suicide pill hidden as the third button on your shirt.

Always ask yourself why they need it, and do you trust them to secure your information.

In Canada right now their are two separate credit card breaches under investigation. This isn't even a phishing thing, this is just plain old sloppy security.

I suspect that there are many other breaches that haven't been detected and or reported. So I strongly recommend that you refuse to give out personal information to these locations. Don't sign up for rewards cards, don't let them collect your address, and phone, and SSN, when you buy a t-shirt. They don't need it! And I don't trust them.

Re:This really isn't an IE problem

[blowdart]

I did, and wow, I even read the PDF. Aas I said it's probably too late now; the padlock is too engrained in user's minds as a way to indicate a site is trusthworthy and real.

If you read the paper the actual "worse when trained" only referred to sites where the phising toolbar notification was not displayed and not really as a function of EVA;

The participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate whenever the phishing warning did not appear.

and really, reading a help file is hardly training :)

*sigh*

[hobo+sapiens]

Of course they're inneffective. Phishing is not an IE problem or a "security" problem. It's a trust problem. If someone was going door to door claiming to be a representative of a bank and asking for account numbers, most people would turn him away and call the cops. Why do we then trust a link in some unsolicited eMail with the same information? Geez.

What's unfortunate here is that since Microsoft, via IE7, made the attempt to protect users from phishing, now they have some degree of responsibility to fix what they never can. Don't claim that you will fix something if you cannot.

How do you initiate a Picture in Picture attack?

[Zeinfeld]

The paper discusses a picture in picture attack. I don't see how such an attack fits into any of the phishing attack vectors currently seen.

Let us imagine that we have an email message that takes us to a phishing site. But instead of taking us to a Web page we get a web page within the Web page. Is the user likely to notice? I suspect so.

The experiments don't test that scenario, instead they test the scenario where the user has a browser open with a PIP browser already there. This is a rather easier lay up.

I have spent quite a bit of time working on security usability testing including EV. It is really hard to design a realistic experiment. If you put users in a lab environment they react very differently. In particular in a lab environment they are much more tolerant of errors than in a home environment, they expect things to be not quite right. This means that many security cues are suppressed entirely.

The user experiences we are testing are all designed to be minimaly intrusive. That is they are designed for regular use every day. The idea is not that someone visits their bank, sees the green bar and thinks they are safe. The idea is that they visit their bank fifty to a hundred times seeing the green bar every single time and then notice it is not there in an attack scenario.

Ultimately the objective of EV is not to stop phishing, it is to provide accountability. If you go to the EV site you should know that the site has been authenticated and you can either hold the site accountable or the issuer of the cert. This may reduce phishing, but it is not by itself going to eliminate it.

Ultimately the test that matters here is how people react in a large scale deployment. The cost of phishing is huge. It is a very visible attack that eats up a huge amount of customer service and staff resources besides the cost of the actual fraud losses (secondary losses are much higher). If EV reduces those costs by even a few percent it more than pays for itsef.

The idea of EV was not to protect banks though, it was to protect customers. The user experience is not fixed for all time. If the IE7 EV experience does not work then we can change it to make it better. At this point however we need the type of data that you can only get from large scale deployment to know.

If you know to look for the green bar you will be a lot safer than you are now. The problem is how to design something that is pervasive without being invasive.