Think about this the next time you do any online banking

Posted on by

This just in, and very scary for those of us that do online banking. A Harvard/MIT study by Stuart Schechter and Rachna Dhamija asked 67 customers of a single bank to conduct common online banking tasks. As they logged in, the researchers presented them with increasingly conspicuous visual clues that indicated a site-forgery attack. They were interested in finding out:

• Will customers of an online bank (in this case, Bank of America) enter their passwords even if their browsers’ HTTPS indicators are missing?
• Will customers of an online bank enter their passwords even if their site-authentication images (using RSA’s PassMark SiteKeys) are missing?
• Will customers of an online bank enter their passwords even if they are presented with an IE7 warning page?

The depressing answers are yes, yes, and yes. You can download a preprint of the study, which will appear in an IEEE proceedings later this year here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.