[OpenID] OpenID and phishing (was Announcing OpenID Authentication 2.0 - Implementor's Draft 11)
Mike Beltzner
beltzner at mozilla.com
Fri Jan 19 15:55:15 UTC 2007
On 19-Jan-07, at 10:28 AM, Simon Willison wrote:
> Unfortunately all I can do here is second-guess the behaviour of
> users - what's really needed is serious usability research. There's
> plenty of academic work around this area; maybe someone on the list
> can point out some references.
Gladly! Actually, 2005 and 2006 were banner years for HCI research
done on phishing and security context spoofing. Here are some good
papers:
"Decision Strategies and Susceptibility to Phishing", Downs, Holbrook
& Cranor
http://cups.cs.cmu.edu/soups/2006/proceedings/p79_downs.pdf
"Why Phishing Works", Dhamija, Tygar & Hearst
http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
"Do Security Toolbars Actually Prevent Phishing Attacks", Wu, Miller
& Garfinkel
http://www.simson.net/ref/2006/CHI-security-toolbar-final.pdf
"Phishing Tips and Techniques", Gutmann
http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf
There are more links, and summaries of the findings of the papers
available on the SharedBookmarks page of the W3C Working Group on
Security Context (WSC) here:
http://www.w3.org/2006/WSC/wiki/SharedBookmarks
I can also sum things up for you even more succinctly:
- users are task oriented, driving to complete the goal the
quickest way possible
- users pay more attention to the content area than the browser chrome
- users don't understand how easy it is to spoof a website
At this juncture I feel that I should mention that I don't think
"fixing phishing" should be a goal of OpenID. Improving things, and
certainly not regressing is a must. But ensuring a perfect system
might needlessly deadlock us.
cheers,
mike
More information about the general
mailing list