security and usability the gap in real world online
play

Security and Usability: The Gap in Real-World Online Banking - PowerPoint PPT Presentation

Aug 12, 2023 •304 likes •544 views

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

  1. Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1

  2. Security and Usability Gap in Online Banking Large Canadian banks ➠ RBC Royal Bank ➠ Canadian Imperial Bank of Commerce (CIBC) ➠ TD Canada Trust ➠ Scotiabank ➠ Bank of Montreal (BMO) ➠ President’s Choice (PC) Financial Mohammad Mannan Sep 19, 2007 2

  3. Security and Usability Gap in Online Banking Why bank online? 58% of Internet-connected Canadians used online banking in 2005 (Statcan, 2006) Mohammad Mannan Sep 19, 2007 3

  4. Security and Usability Gap in Online Banking Mohammad Mannan Sep 19, 2007 4

  5. Security and Usability Gap in Online Banking 100% reimbursement guarantee ➠ There are risks – but most banks give a 100% reimbursement guarantee on any money lost due to online banking Mohammad Mannan Sep 19, 2007 5

  6. Security and Usability Gap in Online Banking So, why worry? 1. The guarantee is conditional 2. Security is a ‘shared responsibility’ Can users realistically meet online banking requirements? Mohammad Mannan Sep 19, 2007 6

  7. Security and Usability Gap in Online Banking Overview ➠ Example requirements ➠ Bank site authentication ➠ Misleading information ➠ User survey ➠ Concluding remarks Mohammad Mannan Sep 19, 2007 7

  8. Security and Usability Gap in Online Banking Example requirements: RBC 1. Electronic Access Agreement (a) Sign out, log off, disconnect, close browser (b) Use up-to-date anti-virus, firewall 2. “How you can protect yourself” (a) Install all security updates (b) Test your computer for security vulnerabilities (c) Stay aware of the latest security-related issues Mohammad Mannan Sep 19, 2007 8

  9. Security and Usability Gap in Online Banking Anti-malware 1. Cost: 71.45 USD, per computer, per year for CIBC customers 2. Proper installation and maintenance is difficult 3. Effectiveness is questionable (a) may give a false sense of security (b) targeted by malware Mohammad Mannan Sep 19, 2007 9

  10. Security and Usability Gap in Online Banking Anti-malware user study 1. 95% users knew the term ‘spyware’ 2. 70% use online banking 3. Some believed spyware was ‘protecting’ their computers Mohammad Mannan Sep 19, 2007 10

  11. Security and Usability Gap in Online Banking Check the URL? 1. https://www.txn.banking.pcfinancial.ca/a/authentication/preSignOn. ams?referid=loginBox banking go 2. One user study reports ➠ 45% users did not look at URLs ➠ 35% noticed https , but many didn’t know its significance Mohammad Mannan Sep 19, 2007 11

  12. Security and Usability Gap in Online Banking wwwcibc.com Mohammad Mannan Sep 19, 2007 12

  13. Security and Usability Gap in Online Banking wwwcibc.com with a twist Mohammad Mannan Sep 19, 2007 13

  14. Security and Usability Gap in Online Banking Check the lock? Look for the SSL lock icon on the lower-right corner Mohammad Mannan Sep 19, 2007 14

  15. Security and Usability Gap in Online Banking IE7 – where is the lock? Mohammad Mannan Sep 19, 2007 15

  16. Security and Usability Gap in Online Banking Embedded SSL lock Mohammad Mannan Sep 19, 2007 16

  17. Security and Usability Gap in Online Banking Not big enough? Mohammad Mannan Sep 19, 2007 17

  18. Security and Usability Gap in Online Banking Summarizing SSL certs 1. “This certificate has failed to verify for all of its intended purposes” – known bug, the site is actually ‘secure’ 2. SSL comments (a) users: a ‘formality’ like an ‘elevator certificate’ (b) researchers: ‘indistinguishable from placebo’ (c) banks: ‘electronic passport’ “People being too dumb/lazy, though, is the hard problem. Fortunately this is evolution at work.” Mohammad Mannan Sep 19, 2007 18

  19. Security and Usability Gap in Online Banking Misleading information 1. Password advice (a) ‘Rock solid’ password examples: iwthyh or iw2hyh (Beat- les’ “I want to hold your hand”) (b) ‘111111’, ‘123456’ are not disallowed 2. Safe as in-branch banking? 3. Firewalls “will only allow in the connections that are known and trusted” 4. “... will not undertake to provide a service that compromises the security and confidentiality of customer information” Mohammad Mannan Sep 19, 2007 19

  20. Security and Usability Gap in Online Banking User survey ➠ 123 users: CS undergrad ( 3 rd , 4 th year) and grad students, post- docs, profs, net admins, security researcher and professionals – gives us a best-case scenario Mohammad Mannan Sep 19, 2007 20

  21. Security and Usability Gap in Online Banking Result summary Mohammad Mannan Sep 19, 2007 21

  22. Security and Usability Gap in Online Banking Concluding remarks/questions 1. Apparently users can hardly meet their ‘shared’ responsibilities 2. What can users do in the face of ‘session hijacking’ attacks? 3. Who bears the responsibility for security? “To err is human, to forgive is not bank policy” Mohammad Mannan Sep 19, 2007 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next,

CS 166: Information Security Real-World Protocols Prof. Tom Austin San Jos State University Real-World Protocols Next, we look at real protocols SSH a simple & useful security protocol SSL practical security on the Web

1.27k views • 112 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers

Computer Security in the Real World Butler Lampson Microsoft 1 Security: The Goal Computers are as secure as real world systems, and people believe it . This is hard because: Computers can do a lot of damage fast. There are many

391 views • 28 slides
(Online)Safety What are the dangers? Always evolving More embedded How have they evolved? 1996

(Online)Safety What are the dangers? Always evolving More embedded How have they evolved? 1996

What Is Securus? (Online)Safety What are the dangers? Always evolving More embedded How have they evolved? 1996 2006 2016 How have they evolved? 1996 2006 2016 Online Online World Online World Real World World Real World Real

147 views • 14 slides
Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS

Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS

Real-Time in the Real World: Building a State of the Art Real-Time Analytics Platform INFORMS Analytics Conference April 14 th , 2015 Joe DeCosmo Chief Analytics Officer Enova International We are a growing global online Lender Founded

229 views • 18 slides
XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( )

XML in the real world XML in the real world XML agentzh ( ) 2006.10 RSS is cool ! RSS RSS Really Simple Syndication Tired of checking your favorite news and blogs sites everyday?

786 views • 75 slides
Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world

Security Profs. Bracy and Van Renesse based on slides by Prof. Sirer Security in the real world Security decisions based on: Value: How much is it worth? Locks: How hard is it to circumvent protection? Police: What are the

980 views • 47 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security

Accountability and Freedom Butler Lampson Microsoft September 26, 2005 1 Real-World Security It s about risk, locks, and deterrence . Risk management: cost of security < expected loss Perfect security costs way too much

707 views • 26 slides
Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction

Outline Usability and security (contd) Elections and their security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Electronic voting System security of electronic voting Stephen McCamant Exercise sets 2

424 views • 10 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I? @vysecurity Vincent Yiu vincent.yiu@syonsecurity.com Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration

344 views • 33 slides
Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, Ren Just , Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul

1.24k views • 84 slides
We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene Sponsored by MEET YOUR SPEAKER Rhonda Greene, APSC Principal Solutions Consultant AvidXchange Current Challenges Understanding How to Save

434 views • 24 slides
Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

870 views • 35 slides
Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa Infrastructure Engineer https://keys.casa https://lopp.net asa @lopp A History Rife with Failure An estimated 4,000,000+ BTC lost. An estimated

346 views • 24 slides
The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of

The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of

The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of unincorporated Sacramento County almost completely surrounded by the City of Sacramento. As not part of the City of Sacramento, the Finger does

474 views • 20 slides
Chord

Chord

What is Chord? What does it do? Chord

325 views • 7 slides

More recommend