Abstract
The What You See Is What You Sign (WYSIWYS) scheme is a popular transaction verification method in online banking which is designed to prevent fraud even if the transfer-issuing device is compromised. To evaluate its practical effectiveness, we asked 100 online banking customers to pay two invoices by credit transfer. The second transfer was attacked by secretly replacing the beneficiary’s account number and displaying the fraudulent transaction details on the confirmation page that asks a customer for a one-time password as generated by their second factor device. The attacked authentication method was the same the participants also use in private with their principal bank. Our attack is highly effective and causes many participants to use the fraudulent details displayed onscreen for verification instead of the original invoice. On top of that, a majority did not verify their transactions at all. Participants with a technical background and experience with certain as well as multiple transaction authentication methods were seen to be less likely to fall victim to the attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Neither our university nor the company had an institutional review board (IRB).
References
Anderson, B.B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S., Vance, A.: How polymorphic warnings reduce habituation in the brain: insights from an fMRI study. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, CHI 2015, Seoul, Republic of Korea, 18–23 April 2015, pp. 2883–2892 (2015)
Benjamini, Y., Krieger, A.M., Yekutieli, D.: Adaptive linear step-up procedures that control the false discovery rate. Biometrika 93(3), 491–507 (2006)
Blythe, M., Petrie, H., and Clark, J.A.: F for fake: four studies on how we fall for phish. In: Proceedings of the International Conference on Human Factors in Computing Systems, CHI 2011, Vancouver, BC, Canada, 7–12 May 2011, pp. 3469–3478 (2011)
Carminati, M., Baggio, A., Maggi, F., Spagnolini, U., Zanero, S.: FraudBuster: temporal analysis and detection of advanced financial frauds. In: Giuffrida, C., Bardin, S., Blanc, G. (eds.) DIMVA 2018. LNCS, vol. 10885, pp. 211–233. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93411-2_10
Das, S., Dingman, A., and Camp, L.J.: Why johnny doesn’t use two factor: a two-phase usability study of the FIDO U2F Security Key. In: Financial Cryptography and Data Security - 22nd International Conference, FC 2018, Curaçao, 26 February– 2 March, 2018, Revised Selected Papers (2018)
Davinson, N., Sillence, E.: Using the health belief model to explore users’ perceptions of ‘being safe and secure’ in the world of technology mediated financial transactions. Int. J. Hum. Comput. Stud. 72(2), 154–168 (2014)
Dhamija, R., Tygar, J.D., and Hearst, M.A.: Why phishing works. In: Proceedings of the 2006 Conference on Human Factors in Computing Systems, CHI 2006, Montréal, Québec, Canada, 22–27 April 2006, pp. 581–590 (2006)
Egelman, S., Schechter, S.: The importance of being earnest [in security warnings]. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 52–59. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_5
Etaher, N., Weir, G.R.S., Alazab, M.: From ZeuS to Zitmo: trends in banking malware. In: 2015 IEEE TrustCom/BigDataSE/ISPA, Helsinki, Finland, 20–22 August 2015, vol. 1, pp. 1386–1391 (2015)
European Union Agency for Network and Information Security: Flash note: EU cyber security agency ENISA; “High Roller” online bank robberies reveal security gaps (2012). https://www.enisa.europa.eu/news/enisa-news/copy_of_eu-cyber-security-agency-enisa-201chigh-roller201d-online-bank-robberiesreveal-security-gaps. Accessed June 05 2018
Hartl, V.M.I.A., Schmuntzsch, U.: Fraud protection for online banking - a user-centered approach on detecting typical double-dealings due to social engineering and inobservance whilst operating with personal login credentials. In: Tryfonas, T. (ed.) HAS 2016. LNCS, vol. 9750, pp. 37–47. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39381-0_4
Hwang, J.T.G., Yang, M.-C.: An optimality theory for mid p-values In 2 x 2 contingency tables. Statistica Sinica 11(3), 807–826 (2001)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Kiljan, S., Vranken, H.P.E., van Eekelen, M.C.J.D.: What you enter is what you sign: input integrity in an online banking environment. In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, STAST 2014, Vienna, Austria, 18 July 2014, pp. 40–47 (2014)
Krol, K., Philippou, E., Cristofaro, E.D., and Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the usability of two-factor authentication in UK online banking. In: Proceedings of the NDSS Workshop on Usable Security, USEC 2015, San Diego, California, USA, 8–11 February 2015 (2015)
Landrock, P., Pedersen, T.P.: WYSIWYS? - what you see is what you sign? Inf. Sec. Techn. Rep. 3(2), 55–61 (1998)
Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: a lightweight and low-cost E-banking solution against untrusted computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_19
Lydersen, S., Fagerland, M.W., Laake, P.: Recommended tests for association in 2 x 2 tables. Stat. Med. 28(7), 1159–1175 (2009)
Murdoch, S.J., et al.: Are payment card contracts unfair? (short paper). In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 600–608. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_35
Norisbank GmbH: norisbank-Umfrage zum Thema Online-Banking, German (2016). https://www.norisbank.de/ueberuns/presseinformation-norisbank-umfrageonline-banking-ein-viertel-der-deutschen-nutzt-veraltetes-tan-verfahren.html. Accessed 20 May 2018
Onarlioglu, K., Yilmaz, U.O., Kirda, E., Balzarotti, D.: Insights into user behavior in dealing with internet attacks. In: 19th Annual Network and Distributed System Security Symposium, NDSS 2012, San Diego, California, USA, 5–8 February 2012 (2012)
Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., Seamons, K.: A tale of two studies: the best and worst of YubiKey usability. In: 2018 IEEE Symposium on Security and Privacy, SP 2018, San Francisco, CA, USA, 20–22 May 2018, pp. 1090–1106 (2018)
Rosoff, H., Cui, J., and John, R.S.: Behavioral experiments exploring victims’ response to cyber-based financial fraud and identity theft scenario simulations. In: Tenth Symposium on Usable Privacy and Security, SOUPS 2014, Menlo Park, CA, USA, 9–11 July 2014, pp. 175–186 (2014)
Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), Oakland, California, USA, 20–23 May 2007, pp. 51–65 (2007)
Schneier, B.: Stop trying to fix the user. IEEE Secur. Priv. 14(5), 96 (2016)
Sheng, S., Holbrook, M.B., Kumaraguru, P., Cranor, L.F., Downs, J.S.: Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, Atlanta, Georgia, USA, 10–15 April 2010, pp. 373–382 (2010)
Sun, H., Sun, K., Wang, Y., Jing, J.: TrustOTP: transforming smartphones into secure one-time password tokens. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015, pp. 976–988 (2015)
Watson, B., Zheng, J.: On the user awareness of mobile security recommendations. In: Proceedings of the 2017 ACM Southeast Regional Conference, Kennesaw, GA, USA, 13–15 April 2017, pp. 120–127 (2017)
Zomai, M.A., AlFayyadh, B., Jøsang, A., McCullagh, A.: An experimental investigation of the usability of transaction authorization in online bank security systems. In: Brankovic, L., Miller, M. (eds.) Sixth Australasian Information Security Conference, AISC 2008, Wollongong, NSW, Australia, January 2008. CRPIT, pp. 65–73. Australian Computer Society (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Haupert, V., Gabert, S. (2019). Where to Look for What You See Is What You Sign? User Confusion in Transaction Security. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)