[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 07:55:15 PST 2007

On 19-Jan-07, at 10:28 AM, Simon Willison wrote:

> Unfortunately all I can do here is second-guess the behaviour of
> users - what's really needed is serious usability research. There's
> plenty of academic work around this area; maybe someone on the list
> can point out some references.

Gladly! Actually, 2005 and 2006 were banner years for HCI research  
done on phishing and security context spoofing. Here are some good  

"Decision Strategies and Susceptibility to Phishing", Downs, Holbrook  
& Cranor

"Why Phishing Works", Dhamija, Tygar & Hearst

"Do Security Toolbars Actually Prevent Phishing Attacks", Wu, Miller  
& Garfinkel

"Phishing Tips and Techniques", Gutmann

There are more links, and summaries of the findings of the papers  
available on the SharedBookmarks page of the W3C Working Group on  
Security Context (WSC) here:


I can also sum things up for you even more succinctly:

  - users are task oriented, driving to complete the goal the  
quickest way possible
  - users pay more attention to the content area than the browser chrome
  - users don't understand how easy it is to spoof a website

At this juncture I feel that I should mention that I don't think  
"fixing phishing" should be a goal of OpenID. Improving things, and  
certainly not regressing is a must. But ensuring a perfect system  
might needlessly deadlock us.


More information about the general mailing list