Skip to main content
SpringerLink
Log in

Where to Look for What You See Is What You Sign? User Confusion in Transaction Security

  • Conference paper
  • First Online:
Book cover Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11735))

Included in the following conference series:

  • 2551 Accesses

Abstract

The What You See Is What You Sign (WYSIWYS) scheme is a popular transaction verification method in online banking which is designed to prevent fraud even if the transfer-issuing device is compromised. To evaluate its practical effectiveness, we asked 100 online banking customers to pay two invoices by credit transfer. The second transfer was attacked by secretly replacing the beneficiary’s account number and displaying the fraudulent transaction details on the confirmation page that asks a customer for a one-time password as generated by their second factor device. The attacked authentication method was the same the participants also use in private with their principal bank. Our attack is highly effective and causes many participants to use the fraudulent details displayed onscreen for verification instead of the original invoice. On top of that, a majority did not verify their transactions at all. Participants with a technical background and experience with certain as well as multiple transaction authentication methods were seen to be less likely to fall victim to the attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Neither our university nor the company had an institutional review board (IRB).

References

  1. Anderson, B.B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S., Vance, A.: How polymorphic warnings reduce habituation in the brain: insights from an fMRI study. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI 2015, Seoul, Republic of Korea, 18–23 April 2015, pp. 2883–2892 (2015)

    Google Scholar 

  2. Benjamini, Y., Krieger, A.M., Yekutieli, D.: Adaptive linear step-up procedures that control the false discovery rate. Biometrika 93(3), 491–507 (2006)

    Article  MathSciNet  Google Scholar 

  3. Blythe, M., Petrie, H., and Clark, J.A.: F for fake: four studies on how we fall for phish. In: Proceedings of the International Conference on Human Factors in Computing Systems, CHI 2011, Vancouver, BC, Canada, 7–12 May 2011, pp. 3469–3478 (2011)

    Google Scholar 

  4. Carminati, M., Baggio, A., Maggi, F., Spagnolini, U., Zanero, S.: FraudBuster: temporal analysis and detection of advanced financial frauds. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 211–233. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_10

    Chapter  Google Scholar 

  5. Das, S., Dingman, A., and Camp, L.J.: Why johnny doesn’t use two factor: a two-phase usability study of the FIDO U2F Security Key. In: Financial Cryptography and Data Security - 22nd International Conference, FC 2018, Curaçao, 26 February– 2 March, 2018, Revised Selected Papers (2018)

    Google Scholar 

  6. Davinson, N., Sillence, E.: Using the health belief model to explore users’ perceptions of ‘being safe and secure’ in the world of technology mediated financial transactions. Int. J. Hum. Comput. Stud. 72(2), 154–168 (2014)

    Article  Google Scholar 

  7. Dhamija, R., Tygar, J.D., and Hearst, M.A.: Why phishing works. In: Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI 2006, Montréal, Québec, Canada, 22–27 April 2006, pp. 581–590 (2006)

    Google Scholar 

  8. Egelman, S., Schechter, S.: The importance of being earnest [in security warnings]. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 52–59. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_5

    Chapter  Google Scholar 

  9. Etaher, N., Weir, G.R.S., Alazab, M.: From ZeuS to Zitmo: trends in banking malware. In: 2015 IEEE TrustCom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015, vol. 1, pp. 1386–1391 (2015)

    Google Scholar 

  10. European Union Agency for Network and Information Security: Flash note: EU cyber security agency ENISA; “High Roller” online bank robberies reveal security gaps (2012). https://www.enisa.europa.eu/news/enisa-news/copy_of_eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberiesreveal-security-gaps. Accessed June 05 2018

  11. Hartl, V.M.I.A., Schmuntzsch, U.: Fraud protection for online banking - a user-centered approach on detecting typical double-dealings due to social engineering and inobservance whilst operating with personal login credentials. In: Tryfonas, T. (ed.) HAS 2016. LNCS, vol. 9750, pp. 37–47. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39381-0_4

    Chapter  Google Scholar 

  12. Hwang, J.T.G., Yang, M.-C.: An optimality theory for mid p-values In 2 x 2 contingency tables. Statistica Sinica 11(3), 807–826 (2001)

    MathSciNet  MATH  Google Scholar 

  13. Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)

    Article  Google Scholar 

  14. Kiljan, S., Vranken, H.P.E., van Eekelen, M.C.J.D.: What you enter is what you sign: input integrity in an online banking environment. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, STAST 2014, Vienna, Austria, 18 July 2014, pp. 40–47 (2014)

    Google Scholar 

  15. Krol, K., Philippou, E., Cristofaro, E.D., and Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the usability of two-factor authentication in UK online banking. In: Proceedings of the NDSS Workshop on Usable Security, USEC 2015, San Diego, California, USA, 8–11 February 2015 (2015)

    Google Scholar 

  16. Landrock, P., Pedersen, T.P.: WYSIWYS? - what you see is what you sign? Inf. Sec. Techn. Rep. 3(2), 55–61 (1998)

    Article  Google Scholar 

  17. Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: a lightweight and low-cost E-banking solution against untrusted computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_19

    Chapter  Google Scholar 

  18. Lydersen, S., Fagerland, M.W., Laake, P.: Recommended tests for association in 2 x 2 tables. Stat. Med. 28(7), 1159–1175 (2009)

    Article  MathSciNet  Google Scholar 

  19. Murdoch, S.J., et al.: Are payment card contracts unfair? (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 600–608. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_35

    Chapter  Google Scholar 

  20. Norisbank GmbH: norisbank-Umfrage zum Thema Online-Banking, German (2016). https://www.norisbank.de/ueberuns/presseinformation-norisbank-umfrageonline-banking-ein-viertel-der-deutschen-nutzt-veraltetes-tan-verfahren.html. Accessed 20 May 2018

  21. Onarlioglu, K., Yilmaz, U.O., Kirda, E., Balzarotti, D.: Insights into user behavior in dealing with internet attacks. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012 (2012)

    Google Scholar 

  22. Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., Seamons, K.: A tale of two studies: the best and worst of YubiKey usability. In: 2018 IEEE Symposium on Security and Privacy, SP 2018, San Francisco, CA, USA, 20–22 May 2018, pp. 1090–1106 (2018)

    Google Scholar 

  23. Rosoff, H., Cui, J., and John, R.S.: Behavioral experiments exploring victims’ response to cyber-based financial fraud and identity theft scenario simulations. In: Tenth Symposium on Usable Privacy and Security, SOUPS 2014, Menlo Park, CA, USA, 9–11 July 2014, pp. 175–186 (2014)

    Google Scholar 

  24. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, 20–23 May 2007, pp. 51–65 (2007)

    Google Scholar 

  25. Schneier, B.: Stop trying to fix the user. IEEE Secur. Priv. 14(5), 96 (2016)

    Article  Google Scholar 

  26. Sheng, S., Holbrook, M.B., Kumaraguru, P., Cranor, L.F., Downs, J.S.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, Atlanta, Georgia, USA, 10–15 April 2010, pp. 373–382 (2010)

    Google Scholar 

  27. Sun, H., Sun, K., Wang, Y., Jing, J.: TrustOTP: transforming smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 976–988 (2015)

    Google Scholar 

  28. Watson, B., Zheng, J.: On the user awareness of mobile security recommendations. In: Proceedings of the 2017 ACM Southeast Regional Conference, Kennesaw, GA, USA, 13–15 April 2017, pp. 120–127 (2017)

    Google Scholar 

  29. Zomai, M.A., AlFayyadh, B., Jøsang, A., McCullagh, A.: An experimental investigation of the usability of transaction authorization in online bank security systems. In: Brankovic, L., Miller, M. (eds.) Sixth Australasian Information Security Conference, AISC 2008, Wollongong, NSW, Australia, January 2008. CRPIT, pp. 65–73. Australian Computer Society (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Friedrich-Alexander University Erlangen-Nürnberg, Erlangen, Germany

    Vincent Haupert & Stephan Gabert

Authors
  1. Vincent Haupert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stephan Gabert
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vincent Haupert .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Appendix

Appendix

Table 2. Victim rate (O, \(\%\)) and frequency (N) depending on participant demographics and their personal TAN method.
Full size table
Fig. 5.
figure 5

Sparkasse Nürnberg (April 17, 2019): Whether the bank displays transaction details on the confirmation page even depends on the TAN method the customer uses with the bank. Our tests show that Sparkasse shows no details on confirm for the chipTAN method but displays the full transaction details if the sms- or appTAN method is used.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Haupert, V., Gabert, S. (2019). Where to Look for What You See Is What You Sign? User Confusion in Transaction Security. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29959-0_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29958-3

  • Online ISBN: 978-3-030-29959-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation