ABSTRACT
An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for security flaws. In spite of this testing, some design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site's security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.
- Banking study: list of financial institutions. http://www.eecs.umich.edu/~laura/webusability/websites.html.Google Scholar
- L. Cranor, P. Guduru, and M. Arjula. User interfaces for privacy agents. ACM Transactions on Computer Human Interaction, 12(2):135--178, 2006. Google ScholarDigital Library
- R. de Paula and et. al. Two experiences designing for effective security. In SOUPS '05: Proceedings of the second symposium on Usable privacy and security, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 2006. Google ScholarDigital Library
- J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In SOUPS '06: Proceedings of the second symposium on Usable privacy and security, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- D. Florencio and B. C. Cormac Herley. Do strong web passwords accomplish anything? In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec), 2007. Google ScholarDigital Library
- L. Freed. State of customer satisfaction with online banking, forsee results/forbes.com, April 2007.Google Scholar
- K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don'ts of client authentication on the web. In Proceedings of the 10th USENIX Security Symposium, Washington, D.C., August 2001. An extended version is available as MIT-LCS-TR-818 (Best Student Paper Award). Google ScholarDigital Library
- Banking on the www - banks of the usa. http://www.quazell.com/bank/bank_usa.html.Google Scholar
- P. McDaniel. On context in authorization policy. In Proc. of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 80--89, June 2003. Google ScholarDigital Library
- Nessus Vulnerability Scanner. http://www.nessus.org.Google Scholar
- B. Pinkas and T. Sanders. Securing passwords against dictionary attacks. In ACM CCS, 2002. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In Proceedings of the USENIX Workshop on Hot topics in Understand Botnets (HotBots), 2007. Google ScholarDigital Library
- S. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
- S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer. The emperor's new security indicators. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 51--65, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proc. of The 2nd Usenix Workshop on Electronic Commerce, Nov. 1996. Revised April, 2007. Google ScholarDigital Library
- WatchFire's AppScan Product.Google Scholar
- A. Whitten and J. D. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In 8th USENIX Security Symposium, 1999. Google ScholarDigital Library
- M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In CHI '06: Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 601--610, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- Why Use YURLs?, 2003. http://www.waterken.com/dev/YURL/Why/.Google Scholar
Index Terms
- Analyzing websites for user-visible security design flaws
Recommendations
A taxonomy of computer program security flaws
An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security ...
Inspection guidelines to identify security design flaws
ECSA '19: Proceedings of the 13th European Conference on Software Architecture - Volume 2Recent trends in the software development practices (Agile, De-vOps, CI) have shortened the development life-cycle causing the need for efficient security-by-design approaches. In this context, software architectures are analyzed for potential ...
Analysing Information Security Risk Ontologies
This research work presents existing security ontologies and identifies relevant security ontology requirements in information systems. Moreover, it proposes a new classification of security ontologies in which, two main families, namely ontologies-...
Comments