Analyzing Websites for User-Visible Security Design Flaws


-chose not to examine bugs or browser flaws

-Analyzed a combination of 214 websites(mostly banks)


-Login on insecure pages

-Contact information on insecure pages

Should this be a concern?

-exploits would not be straightforward, but attackers are becoming more organized

Use of Third-Party Sites

-break in chain of trust


-transition to third party site

Policies on User Ids and Passwords

-inadequate or unclear policies for user ids and passwords

Ambiguity in Policies

-emailing security sensitive information


-significant number of sites have login design flaws (47%)

Limitations of Study

-may have failed to completely retrieve all relevant pages

-Only looked financial intitutions in US

-used heuristics for automated analysis

Usability Lessons for WebSites

-stay on the same host name

-if not keep on same domain

-else make “proper introduction”

-use SSL throughout the site


Discussion notes – Metrics for Characterizing Research Participants’ Technical Knowledge

Summary from the discussion Metrics for Characterizing Research Participants’ Technical Knowledge:

– Background with some studies and criteria that they used
– Participants agreed that there needs to be a metric but it is not clear whether there can be one-size-fit-all
– Conduct a large study among different types of users and then decide on what type of questions can be used for specific study
– Suggestion on looking on users’ behavior to classify technical or novice (e.g. using short cut keys)
– Some questions that we agreed on which we may use in the future studies
– Are you technical or non-technical?
– Why do you think you are technical or non-technical?
– What is your educational background?


Use Your Illusion: Secure Authentication Usable Anywhere

Eiji Hayashi

Nicolas Christin

Rachna Dhamija

Adria Perrig

Graphical Authentication

  • Passfaces – Faces are used as graphical portfolio
  • Pass Points – Use “a sequence of clicks” as a shared secret
  • DAS (Draw-A-Secret) –
  • Deja vu

Graphical Portfolio

  • If user chooses portfolio, easy to remember
  • If it’s random, users have difficult remembering picture

Use your Illusion

  1. Allow users to take/choose picture by themselves
  2. Distort pictures
  3. Assign the distorted pictures as graphical portfolio

Requirement for Distortion

  • One-way
  • Discarding precise shapes and colors
  • Preserving rough shapes and colors

Oil Paintings are used

Distortion level

  • If high, difficult to guess, but difficult to memorize
  • If low, easy to memorize, but easy to guess

Low Fidelity Test – Show most distorted imagine then ask user to guess image. If user does not know, continue showing less distorted images.

Also ask user at which point / distorted image he can’t recognize the image is a dog.


  • Implemented on Nokia’s cell-phone
  • Also on the web

1st Usability Test

  • 45 Participant were divided into 3 groups
  • Self-selected, Non-distorted – Mean was around 20 sec
  • self-selected, distorted – 20sec
  • Imposed, Highly-distorted – 70 sec

Process of Memorization

  • Participants assign meanings to distorted images
  • Assigning meanings helps memorization

2nd test

  • 54 participants were divided into 3 groups
  • self-selected, non-distorted
  • self-selected, distorted
  • imposed, distorted

Future Work

  • Detailed usability test
  • long term test
  • find an optimal distortion
  • investigate a metric evaluating distortion level

Assigning meaning helps memorization


Securing Passfaces for Description

Paul Dunphy, James Nicholson and Patrick Olivier

Study 1:

  • 18 participants (9m, 9f) , 45 faces (27f, 18m)
  • Record descriptions of 15 faces each
  • Results: Females made longer descriptions, used more words to describe them

Study 2:

  • 56 partcipants (31m, 25f)
  • Within-subject with conditions:
    • Random decoys
    • Visually similar decoys (used a separate set of participants to group similar matches)
    • Descriptively similar decoys
  • Task: participant to choose 5 correct passfaces from descriptions to login.
  • Results:
    • Average score in random condition best
    • 9% of logins were successful (7 in random, 5 in visual, 1 in verbal).


  • Decoy grouping effective
  • Overall login success low
  • Is there an impact on memorability/shoulder surfing?
  • What about related graphical schemes?


SOUPS in the News.

SOUPS gets lots of press each year and we will be collecting as we see it in this post.

Analyzing Websites for User-Visible Security Design Flaws by Laura Falk, Atul Prakash and Kevin Borders has already been cited in a number of articles and posts including:


Security Questions in the Facebook Era

Ari Rabkin

Summary: Due to an environment where information sharing is common, security questions are becoming easier and easier to attack. What to do? Redesign security questions so that they are not easily attackable.  Add additional elements (i.e. audio or video) that can still be easy for the user to remember, but unique to the user.

Security questions assume there is an information asymmetry between the attacker and the user.

Security Question – Ask user something
Secret question – Ask for a secret fact
Personal security question – Ask about something meaningful to user (NOT SECRET)

The problem:
Security for personal sec. Q is based on
– Information retrieval hardness assumptions and security assumptions
But IR is improving rapidly
– Humans like to talk about themselves and share info
– Hard to know what an attacker might know

User Study Context:
Online Banking

– Looked at forgotten password mechanisms at 20 banks
– Checked to see if the mechanism recognized hosts

Credit Unions do not do lost passwords

– Guessable (Can guess more than 1% of the time)
– Automatically attackable (Info on Facebook)
– Human Attackable (Get answer from blogs/Internet, CV)

Popular Topics
– Family
Relatives, life events
– Preferences
Favorite books, movies, etc
– Name of first pet
-Favorite sports team
-Grandmother’s first name
-High school mascot

Quck fixes:
– Limit guessability by rejecting overly common answers
– Ask questions w/ secure answers
– remove weakest questions
– Warn users to pick good question

Deeper fixes:
– Ask Qs users can’t disclose answer to
– Recognition-based instead of recall
-Try to imbed media into questions?
– Ask about images, audio, etc to make it more difficult

– Many security questions are week, and getting weaker.
– Research needed to keep up


SOUPS Keynote: Ross Anderson

Towards a Science of Security and Human Behaviour

Summary: Economics, Sociology, and Psychology can give important insights on security and how to make it more effective.  The current incentive structure makes it so that users are left to their own devices, mistakes, and misconceptions.

Security to Economics, How did I get there?
– People used to think security was all about crypto, authentication, firewalls, etc
– But, people realized this wasn’t enough, things weren’t getting better.

Economics and Security
– Since 2000, he has been applying economic analysis to IT security and dependability
– It explains the failure better!

Security fails b/c the incentives are wrong.

New view of InfoSec.
– Systems are insecure b/c the incentives are wrong.
Bank customers suffer when poor design makes fraud and fishing easier
– Insecurity is often and “externality” or a side-effect, like environmental pollution

New uses of Infosec
– Support business models
Xerox tied ink to printers, to increase the price of ink.
Car makers can charge more for parts for certain vehicles

IT Economics
– 1st feature, Network effects
Metcalfe’s law – value of a network is the square of the # of users
Real networks – phones, fax, email
Virtual networks – PC architecture vs. Mac
Network effects tend to lead to dominant firm markets where the winner takes all.

2nd common feature of IT product and service markets is high fixed costs and low marginal costs.
– Competition can drive down prices to marginal cost of production, but this can make it hard to recover capital investment, unless stopped by patent, brand, compatibility.
– These effects can also lead to dominant-firm market structures.

3rd feature is that switching from one product or service to another is expensive.
Shapiro-Varian theorem: the net present value of a software company is the total switching costs

So major effort goes into managing switching costs, i.e. IPod and the music for your iPod, you are locked in to your product.

IT Economics and Security:
High fixed/low marginal costs, network effects and switching costs tend to lead to dominant-firm markets with the big first-mover advantage
– Time to market is critical
-Ship fast and fix it later is a rational action plan

When building a network monopoly, you must appeal to vendors of complementary products
– Lack of security in earlier versions of Windows made it easier to develop applications.
– So did the choice of security technologies that dump usability costs on teh users
– Once you are a monopoly, lock it all down!

Economics and Usability
– Make your products usable by newbies…  but more usable with practice!
– To what extent can you make skill a source of asymmetric lockin? (i.e. you learn all the keyboard shortcuts)
– Hypothesis: this underlies the failure of user programmability to get traction!
– How many features should a product have?
– Marginal benefit of new feature concentrated in some target market
– Marginal costs is spread over all users – so we get chronic featurities!
– At equilibrium, any programmable thing will just be on the edge of unacceptability of a significant number of users
– The same thing happens with laws, services, etc

Why are so many security products ineffective?
– Akerlof’s Nobel Prize winning paper: The Market for Lemons, which introduced asymmetric information
– People don’t know what things are the lemons, so they will pay full price…
– Security products are a ‘lemons market’

Products worse than useless:
– Why do Volvo drivers have more accidents? Adverse selection and moral hazard- people think they are safer so they act more dangerously.
– Application to trust: Ben Edelman, ‘Adverse selection on online trust certifications (WEIS 06)
– Websites wtih a TRUSTe certification are more than twice as likely to be malicious
– The top Google ad is about twice as likely as the top free search results to be malicious

– People say they value privacy but act otherwise
– Why is there this privacy gap
– Odlyzko – Technology makes price discrimination easier and more attractive
– Acquisti et al – People care about privacy when buying clothes, but not cameras
– Loewenstein et al – It’s not clear that there are stable and coherent privacy preferences
– Students disclose more for How bad RU and less with detailed privacy notice

Conflict Theory:
– Does the defense of a country or a system depend on the least effort, or on the best effort, or on the sum of efforts
– The last is optimal, the first is aweful
– Software is a mix, it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers
– Moral: hire fewer better programmers, more testers, top architects

Skewed Incentives:
– Why do large companies spend so much and little companies so little on security?
– If you are the Director of the NSA and you have a hack for XP and Vista, do you tell Bill Gates?
– If you do, you protect 300 million Americans
– If you don’t, you can hack 400 million Europeans, 1000 million Chinese, etc
– If the Chinese hack US systems, they keep quiet.  If you hack their systems, you can brag about it to the President (increase your budget)
– Offense favored over defense

Security and Policy

Security and Sociology
– Can we use evolutionary game theory ideas to figure out how networks evolve?
– Idea: run many simulations between different attack/defense strategies

Psychology and Security
– Phishing
Banks react to phishing with a “blame and train” efforts towards customers
But we know, this doesn’t work
– We train people to keep on clicking OK and ‘learned helplessness’ goes much wider
– People didn’t notice the missing SSL padlock icon

Social psychology is relevant
– People deny the evidence of their eyes to conform to a group
– People will do immoral things if ordered to
– Roles and group dynamics are enough
– Disturbing case of “Officer Scott” – a guy who called McDonald’s and ordered managers to strip search female employees.  McDonald’s couldn’t be bothered to train their employees to resist immoral orders from police.

How do systems resist abuse of authority?

– Why does Terrorism work?
– It’s evolved to exploit a large number of our heuristics and biases
– Availability heuristic, mortality salience, anchoring, loss aversion in uncertainty, wariness of hostile intent, violation of moral sentiments, credence given to images, reaction against out-group, sensitivity to change
– The good news: biases affect novel events more, and so can be overcome by experience.

– Central to evolution of homo sapiens
– Self deception
– What are the effects on policy?

– People don’t care enough about computer security, and they care much more about terrorism.

For more information:
Workshop on the Economics of Information Security
Workshop on Security and Human Behavior
_ Security Engineering by Ross Anderson


Improving Text Passwords Through Persuasion

Persuasive Cued Click-Points is a system used to help persuade users to create better passwords.

We have created the Persuasive Text Passwords System(PTP). The system lets the user write a simple word and the system will insert random characters to create a more secure password. If the user dislikes the password they can have the system re-shuffle the characters to create new password. The system helps users by simplifying the problem of creating secure passwords. Also it helps the user by informing them at the time when they are creating the password and are currently thinking about security. Additionally it adds to the randomness of the password.

User study was conducted in the lab. Users were asked to create a password, confirm the password by re-entering it, answer questions about how they felt about the password, complete a distraction task to clear working memory, and finally log in with their new password. Participant completed all five steps ten times. 83 participants in total.

Found that inserting 2, 3 or 4 characters into the word string was the most secure alteration method for changing the password string. It took Insert-2, Insert-3 and Insert-4 users a only a few more seconds to create a password than the control users. It took Insert users longer to log in (~10 sec).

They ran the passwords through a John the Ripper wordlist attack using the free worldlist on the John the Ripper site plus the word mangling rules (All+Rules) for teh second attack used teh mangled list availible for sale on the site (Mangled). The result was that none of the PTP passwords were cracked.

Next tried giving each password a security measure. Discovered that Insert-4 users started with far less secure passwords (before insertion of characters) than Insert-2 users. This was because the Insert-4 users discovered that four characters were going to be added so start entering shorter passwords to start with.

Q: You hypothosise that users were choosing more insecure passwords in the Insert-4 because of memory load. It could be that they were trusting the system to make their passwords more secure.

A: People in the Insert-4 condition actually started by using things like capital letters but they stopped doing that fairly quickly. This was not observed in the Insert-2, or Insert-3 conditions.

Q: Did you try running John the Ripper in brute force search mode.

A: John the ripper only works on passwords of length 8 and our passwords ranged from 8-10 so we chose not to pursue the brute force attack.


SOUPS poster session


Serge Egelman and Rob Reeder wear their posters

Serge Egelman and Rob Reeder wear their posters

Serge Egelman and Rob Reeder wear their posters

Serge Egelman and Rob Reeder wear their posters

Lots of posters, lots of fun! See the list of posters and abstracts on the SOUPS website. Rob and Serge prototyped wearable posters. Usability assessment anyone?


USM Opening Session

The Workshop on Usable IT Security Management was opened today with a talk by Robin Ruefle a member of CERT on Human and Organizational Aspects of Security Incident Management.

She opened with a brief history of CERT and a discussion of how important having an incident management plan is. For example when the Morris Worm infected the internet many companies did not have an incident management plan and had trouble dealing with the incident.

She discussed several example incidents where companies did not have comprehensive incident plans:

  • Slammer Worm hit in January of 2003. An organization without full updates was hit very hard by Slammer and many did not have the ability to determine how hard the organization was hit.
  • Another company hit by Slammer but used contractors who were unwilling to come in imidiately. Local contractors didn’t have badges which worked on Saturday and were not sure who to contact to gain access to the servers to fix the problem.

One of the biggest issues with creating a security management plan is that people don’t talk. Management doesn’t talk to the people they are manging and understand their needs. People dont’ always understand what is going to be done and may be concerned that their own jobs will be taken over.