[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)

Mike Beltzner beltzner at mozilla.com
Fri Jan 19 15:55:15 UTC 2007


On 19-Jan-07, at 10:28 AM, Simon Willison wrote:

> Unfortunately all I can do here is second-guess the behaviour of
> users - what's really needed is serious usability research. There's
> plenty of academic work around this area; maybe someone on the list
> can point out some references.

Gladly! Actually, 2005 and 2006 were banner years for HCI research  
done on phishing and security context spoofing. Here are some good  
papers:

"Decision Strategies and Susceptibility to Phishing", Downs, Holbrook  
& Cranor
   http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf

"Why Phishing Works", Dhamija, Tygar & Hearst
   http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf

"Do Security Toolbars Actually Prevent Phishing Attacks", Wu, Miller  
& Garfinkel
   http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf

"Phishing Tips and Techniques", Gutmann
   http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf

There are more links, and summaries of the findings of the papers  
available on the SharedBookmarks page of the W3C Working Group on  
Security Context (WSC) here:

   http://www.w3.org/2006/WSC/wiki/SharedBookmarks

I can also sum things up for you even more succinctly:

  - users are task oriented, driving to complete the goal the  
quickest way possible
  - users pay more attention to the content area than the browser chrome
  - users don't understand how easy it is to spoof a website

At this juncture I feel that I should mention that I don't think  
"fixing phishing" should be a goal of OpenID. Improving things, and  
certainly not regressing is a must. But ensuring a perfect system  
might needlessly deadlock us.

cheers,
mike



More information about the general mailing list