Analyzing websites for user-visible security design flaws

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Analyzing websites for user-visible security design flaws

Full text

Pdf (705 KB)

Source

ACM International Conference Proceeding Series; Vol. 337 archive
Proceedings of the 4th symposium on Usable privacy and security table of contents

Pittsburgh, Pennsylvania

SESSION: Usable privacy and security in practice table of contents

Pages 117-126

Year of Publication: 2008

ISBN:978-1-60558-276-4

Authors

Laura Falk	University of Michigan
Atul Prakash	University of Michigan
Kevin Borders	University of Michigan

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 27, Downloads (12 Months): 218, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1408664.1408680 What is a DOI?

ABSTRACT

An increasing number of people rely on secure websites to carry out their daily business. A survey conducted by Pew Internet states 42% of all internet users bank online. Considering the types of secure transactions being conducted, businesses are rigorously testing their sites for security flaws. In spite of this testing, some design flaws still remain that prevent secure usage. In this paper, we examine the prevalence of user-visible security design flaws by looking at sites from 214 U.S. financial institutions. We specifically chose financial websites because of their high security requirements. We found a number of flaws that may lead users to make bad security decisions, even if they are knowledgeable about security and exhibit proper browser use consistent with the site's security policies. To our surprise, these design flaws were widespread. We found that 76% of the sites in our survey suffered from at least one design flaw. This indicates that these flaws are not widely understood, even by experts who are responsible for web security. Finally, we present our methodology for testing websites and discuss how it can help systematically discover user-visible security design flaws.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Banking study: list of financial institutions. http://www.eecs.umich.edu/~laura/webusability/websites.html.
	2	Lorrie Faith Cranor , Praveen Guduru , Manjula Arjula, User interfaces for privacy agents, ACM Transactions on Computer-Human Interaction (TOCHI), v.13 n.2, p.135-178, June 2006 [doi>10.1145/1165734.1165735]
	3	Rogério de Paula , Xianghua Ding , Paul Dourish , Kari Nies , Ben Pillet , David Redmiles , Jie Ren , Jennifer Rode , Roberto Silva Filho, Two experiences designing for effective security, Proceedings of the 2005 symposium on Usable privacy and security, p.25-34, July 06-08, 2005, Pittsburgh, Pennsylvania [doi>10.1145/1073001.1073004]
	4	Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124861]
	5	Julie S. Downs , Mandy B. Holbrook , Lorrie Faith Cranor, Decision strategies and susceptibility to phishing, Proceedings of the second symposium on Usable privacy and security, July 12-14, 2006, Pittsburgh, Pennsylvania [doi>10.1145/1143120.1143131]
	6	Dinei Florêncio , Cormac Herley , Baris Coskun, Do strong web passwords accomplish anything?, Proceedings of the 2nd USENIX workshop on Hot topics in security, p.1-6, August 07, 2007, Boston, MA
	7	L. Freed. State of customer satisfaction with online banking, forsee results/forbes.com, April 2007.
	8	Kevin Fu , Emil Sit , Kendra Smith , Nick Feamster, Dos and don'ts of client authentication on the web, Proceedings of the 10th conference on USENIX Security Symposium, p.19-19, August 13-17, 2001, Washington, D.C.
	9	Banking on the www - banks of the usa. http://www.quazell.com/bank/bank_usa.html.
	10	Patrick McDaniel, On context in authorization policy, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy [doi>10.1145/775412.775422]
	11	Nessus Vulnerability Scanner. http://www.nessus.org.
	12	Benny Pinkas , Tomas Sander, Securing passwords against dictionary attacks, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA [doi>10.1145/586110.586133]
	13	Niels Provos , Dean McNamee , Panayiotis Mavrommatis , Ke Wang , Nagendra Modadugu, The ghost in the browser analysis of web-based malware, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.4-4, April 10, 2007, Cambridge, MA
	14	Stuart E. Schechter , Rachna Dhamija , Andy Ozment , Ian Fischer, The Emperor's New Security Indicators, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.51-65, May 20-23, 2007 [doi>10.1109/SP.2007.35]
	15	Stuart E. Schechter , Rachna Dhamija , Andy Ozment , Ian Fischer, The Emperor's New Security Indicators, Proceedings of the 2007 IEEE Symposium on Security and Privacy, p.51-65, May 20-23, 2007 [doi>10.1109/SP.2007.35]
	16	David Wagner , Bruce Schneier, Analysis of the SSL 3.0 protocol, Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, p.4-4, November 18-21, 1996, Oakland, California
	17	WatchFire's AppScan Product.
	18	Alma Whitten , J. D. Tygar, Why Johnny can't encrypt: a usability evaluation of PGP 5.0, Proceedings of the 8th conference on USENIX Security Symposium, p.14-14, August 23-26, 1999, Washington, D.C.
	19	Min Wu , Robert C. Miller , Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124863]
	20	Why Use YURLs?, 2003. http://www.waterken.com/dev/YURL/Why/.