skip to main content
10.1145/1600176.1600178acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
research-article

Security and usability: the gap in real-world online banking

Published: 15 July 2008 Publication History

Abstract

Online banking is one of the most sensitive tasks performed by general Internet users. Most traditional banks now offer online banking services, and strongly encourage customers to do online banking with 'peace of mind.' Although banks heavily advertise an apparent '100% online security guarantee,' typically the fine print makes this conditional on users fulfilling certain security requirements. We examine some of these requirements as set by major Canadian banks, in terms of security and usability. We opened personal checking accounts at the five largest Canadian banks, and one online-only bank. We found that many security requirements are too difficult for regular users to follow, and believe that some marketing-related messages about safety and security actually mislead users. We are also interested in what kind of computer systems people really use for online banking, and whether users satisfy common online banking requirements. Our survey of 123 technically advanced users from a university environment strongly supports our view of an emerging gap between banks' expectations (or at least what their written customer policy agreements imply) and users' actions related to security requirements of online banking. Our participants, being more security-aware than the general population, arguably makes our results best-case regarding what can be expected from regular users. Yet most participants failed to satisfy common security requirements, implying most online banking customers do not (or cannot) follow banks' stated end-user security requirements and guidelines. The survey also sheds light on the security settings of systems used for sensitive online transactions. This work is intended to spur a discussion on real-world system security and user responsibilities, in a scenario where everyday users are heavily encouraged to perform critical tasks over the Internet, despite the continuing absence of appropriate tools to do so.

References

[1]
A. Adams and M. A. Sasse. Users are not the enemy. Comm. of the ACM, 42(12), 1999.
[2]
J. Aitel. The IPO of the 0day: Stock fluctuation from an unrecognized influence. In Symposium on Security for Asia Network (SyScan), 2007. Keynote address.
[3]
ArsTechnica.com. Half of Americans clueless about online threats. News article (Aug. 14, 2007).
[4]
J. Aycock and N. Friess. Spam zombies from outer space. In EICAR, 2006.
[5]
BBC News. Malware 'hijacks Windows Updates'. News article (May 16, 2007).
[6]
A. Bellissimo, J. Burgess, and K. Fu. Secure software updates: Disappointments and new challenges. In USENIX Workshop on Hot Topics in Security (HotSec), 2006.
[7]
J. Benamati, M. A. Serva, and M. A. Fuller. Are trust and distrust distinct constructs? An empirical study of the effects of trust and distrust among online banking users. In IEEE Hawaii International Conference on System Sciences, 2006.
[8]
Beskerming.com. How the online trust model is broken - the BankOfIndia.com attack. News article (Aug. 31, 2007).
[9]
M. Bishop. Psychological acceptability revisited. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.
[10]
J. Blascovich. Mind games: A psychological analysis of common email scams. McAfee Avert Labs white paper (June 25, 2007). http://www.mcafee.com/us/local_content/white_papers/wp_mind_games_en.pdf.
[11]
CA Virus Information Center. Win32.Grams.I, Feb. 2005. http://www3.ca.com.
[12]
W. Chung and J. Paynter. An evaluation of Internet banking in New Zealand. In IEEE Hawaii International Conference on System Sciences, 2002.
[13]
CNET.com. TJX says 45.7 million customer records were compromised. News article (Mar. 29, 2007).
[14]
Commtouch.com. Malware outbreak trend report: Storm-Worm. Online article (Jan. 31, 2007). http://www.commtouch.com/downloads/Storm-Worm_MOTR.pdf.
[15]
ComputerWorld.com. Symantec false positive cripples thousands of Chinese PCs. News article (May 18, '07).
[16]
Consumeraffairs.com. Consumers losing confidence in online commerce, banking. News article (June 28, '05).
[17]
DarkReading.com. Antivirus tools underperform when tested in LinuxWorld 'Fight Club'. News article (Aug. 9, 2007).
[18]
D. Davis. Compliance defects in public-key cryptography. In USENIX Security Symposium, 1996.
[19]
R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In CHI, 2006.
[20]
J. S. Downs, M. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In SOUPS, 2006.
[21]
K. Edge, R. Raines, M. Grimaila, R. Baldwin, R. Bennington, and C. Reuter. The use of attack and protection trees to analyze security for an online banking system. In IEEE Hawaii International Conference on System Sciences, 2007.
[22]
Entrust.com. Katrina scams show browser security model is broken. Entrust blog (Sep. 9, 2005).
[23]
eWeek.com. Microsoft patches causing breakages, lockups. News article (Apr. 17, 2006).
[24]
eWeek.com. Microsoft says recovery from malware becoming impossible. News article (Apr. 4, 2006).
[25]
D. Florêncio and C. Herley. A large-scale study of web password habits. In World Wide Web (WWW), 2007.
[26]
S. Gaw and E. W. Felten. Password management strategies for online accounts. In SOUPS, 2006.
[27]
R. L. Glass. Patching is alive and, lamentably, thriving in the real-time world. ACM SIGPLAN Notices, 13(3), 1978.
[28]
Globe and Mail. globeandmail.com: Mary Kirwan. News article (Nov. 16, 2006). http://www.theglobeandmail.com/servlet/story/RTGAM.20061116.gtkirwan1116/BNStory/Technology/home.
[29]
S. J. Greenwald, K. G. Olthoff, V. Raskin, and W. Ruch. The user non-acceptance paradigm: INFOSEC's dirty little secret. In New Security Paradigms Workshop (NSPW), 2004.
[30]
J. Grossklags and N. Good. Empirical studies on software notices to inform policy makers and usability designers. In Workshop on Usable Security (USEC), 2007.
[31]
J. Heasman. Implementing and detecting a PCI rootkit. White paper (Nov. 15, 2006). http://www.ngssoftware.com.
[32]
M. Hertzum, N. Jørgense, and M. Nørgaar. Usable security and e-banking: Ease of use vis-à-vis security. Australasian Journal of Information Systems, 11, 2004.
[33]
A. Herzogl and N. Shahmehri. Usability and security of personal firewalls. In IFIP Security Conference, 2007.
[34]
C. Jackson, D. Simon, D. Tan, and A. Barth. An evaluation of Extended Validation and picture-in-picture phishing attacks. In Workshop on Usable Security (USEC), 2007.
[35]
N. Jin and M. Fei-Cheng. Network security risks in online banking. In IEEE Wireless Communications, Networking and Mobile Computing, 2005.
[36]
M. E. Johnson and S. Dynes. Inadvertent disclosure -- information leaks in the extended enterprise. In Workshop on the Economics of Information Security (WEIS), 2007.
[37]
M. Just. Designing secure yet usable challenge question authentication systems. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.
[38]
H. Karjaluoto, T. Koivumäki, and J. Salo. Individual differences in private banking: Empirical evidence from Finland. In IEEE Hawaii International Conference on System Sciences, 2003.
[39]
Kaspersky.com. Malicious mass mailing sent using McAfee email address. Virus News (Nov. 2, 2006).
[40]
Keynote.com. Online banking critical to bank selection and brand perception. Press release (Jan. 6, 2005).
[41]
S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006.
[42]
MacDevCenter.com. How Paris got hacked? News article (Feb. 22, 2005).
[43]
McAfee and National Cyber Security Alliance (NCSA). McAfee-NCSA online safety study, Oct. 2007.
[44]
Microsoft. Password checker. http://www.microsoft.com/athome/security/privacy/password_checker.mspx.
[45]
Microsoft Support. Detailed installation walkthrough for Windows XP Service Pack 2. http://support.microsoft.com.
[46]
J. Milletary. Technical trends in phishing attacks. US-CERT, Reading room article, http://www.us-cert.gov.
[47]
National Post. Watchdog pushed CIBC on lost file. News article (Jan. 26, 2007). http://www.canada.com.
[48]
Netcraft.com. Bank, customers spar over phishing losses. News article (Sep. 13, 2006).
[49]
Netcraft.com. More than 450 phishing attacks used SSL in 2005. News article (Dec. 28, 2005).
[50]
Netcraft.com. MySpace accounts compromised by phishers. News article (Oct. 27, 2006).
[51]
New Zealand Bankers' Association (NZBA). Code of banking practice. Fourth Edition (July, 2007).
[52]
M. Nilsson, A. Adams, and S. Herd. Building security and trust in online banking (extended abstracts). In CHI, 2005.
[53]
C. Nodder. Users and trust: A Microsoft case study. In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.
[54]
Office of the Privacy Commissioner of Canada. Guidelines for identification and authentication, Oct. 2006. http://www.privcom.gc.ca/information/guide/auth_061013_e.asp.
[55]
B. Parno, C. Kuo, and A. Perrig. Phoolproof phishing prevention. In Financial Cryptography (FC), 2006.
[56]
J. Rutkowska. Introducing Blue Pill, June 2006. Presented at SyScan Conference.
[57]
SANS Institute Internet Storm Center. Windows XP: Surviving the first day, Nov. 2003.
[58]
SANS Internet Storm Center. Fake microsoft patch email -> fake spyware doctor! Handler's diary (June 26, 2007).
[59]
SANS Internet Storm Center. Symantec false-positive on Filezilla, NASA World Wind. Handler's diary (July 16, 2007).
[60]
M. A. Sasse, S. Brostoff, and D. Weirich. Transforming the 'weakest link' - a human/computer interaction approach to usable and effective security. BT Technology, 19(3), 2001.
[61]
M. A. Sasse and I. Flechais. Usable security: Why do we need it? how do we get it? In "Security and Usability: Designing Secure Systems that People Can Use." Edited by L. Cranor and S. Garfinkel. O'Reilly, 2005.
[62]
scanit.be. Browser security test: A year of bugs, 2004. http://bcheck.scanit.be.
[63]
B. Schneier. The curse of the secret question. Blog (Feb. 11, 2005), http://www.schneier.com.
[64]
SecurityFocus.com. Bot spreads through antivirus, Windows flaws. News article (Nov. 28, 2006).
[65]
A. Shipp. Targeted trojan attacks and industrial espionage. In Virus Bulletin Conference (VB), 2006.
[66]
Silicon.com. Banks must boost security to drive online banking. Forrester Research News article (Mar. 29, 2005).
[67]
A. Singer. Life without firewalls. ;login: The USENIX Magazine, 28(6), 2003.
[68]
S. Singh. The social dimensions of the security of Internet banking. Journal of Theoretical and Applied Electronic Commerce Research, 1(2), 2006.
[69]
Statistics Canada. Canadian Internet Use Survey 2005, Aug. 2006. http://www.statcan.ca.
[70]
M. Tulloch. Resolving Windows XP SP2 -- related application compatibility problems. Microsoft article on using XP.
[71]
M. Vea. 2006 Operating System vulnerability summary. Online article published at OmniNerd.com (Mar. 26, 2007).
[72]
C. Wharton, J. Rieman, C. Lewis, and P. Polson. The cognitive walkthrough method: A practitioner's guide. In "Usability inspection methods," John Wiley&Sons, Inc., 1994.
[73]
A. Whitten and J. Tygar. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In USENIX Security Symposium, 1999.
[74]
WindowsSecrets.com. Microsoft, McAfee, Symantec charge cards repeatedly. News article (May 17, 2007).
[75]
M. Wu, R. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks. In CHI, 2006.
[76]
J. J. Yan. A note on proactive password checking. In New Security Paradigm Workshop (NSPW), 2001.
[77]
ZDNet.com. Security tools face increased attack. News article based on Yankee Group report (June 20, 2005).
[78]
ZDNet.com.au. Eighty percent of new malware defeats antivirus. News article (July 19, 2006).
[79]
Y. Zhang, S. Egelman, L. F. Cranor, and J. Hong. Phinding phish: An evaluation of anti-phishing toolbars. In Annual Network and Distributed System Security Symposium (NDSS), 2007.
[80]
M. E. Zurko. User-centered security: Stepping up to the grand challenge. In ACSAC, 2005. Invited essay.
[81]
M. E. Zurko and R. T. Simon. User-centered security. In New Security Paradigms Workshop (NSPW), 1996.
[82]
M. Zviran and W. J. Haga. Cognitive passwords: the key to easy access control. Computers&Security, 9(9), 1990.

Cited By

View all
  • (2023)Electronic Banking FraudsTheory and Practice of Illegitimate Finance10.4018/979-8-3693-1190-5.ch009(166-183)Online publication date: 8-Sep-2023
  • (2023)Data Security, Customer Trust and Intention for Adoption of Fintech Services: An Empirical Analysis From Commercial Bank Users in PakistanSage Open10.1177/2158244023118138813:3Online publication date: 14-Jul-2023
  • (2023)Measuring Website Password Creation Policies At ScaleProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623156(3108-3122)Online publication date: 15-Nov-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
NSPW '07: Proceedings of the 2007 Workshop on New Security Paradigms
July 2008
109 pages
ISBN:9781605580807
DOI:10.1145/1600176
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • San Diego Super Computing Ctr: San Diego Super Computing Ctr
  • James Madison University
  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 July 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. online banking
  2. security requirements
  3. usability

Qualifiers

  • Research-article

Conference

NSPW '07
Sponsor:
  • San Diego Super Computing Ctr
  • ACSA

Acceptance Rates

NSPW '07 Paper Acceptance Rate 11 of 27 submissions, 41%;
Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)91
  • Downloads (Last 6 weeks)5
Reflects downloads up to 06 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Electronic Banking FraudsTheory and Practice of Illegitimate Finance10.4018/979-8-3693-1190-5.ch009(166-183)Online publication date: 8-Sep-2023
  • (2023)Data Security, Customer Trust and Intention for Adoption of Fintech Services: An Empirical Analysis From Commercial Bank Users in PakistanSage Open10.1177/2158244023118138813:3Online publication date: 14-Jul-2023
  • (2023)Measuring Website Password Creation Policies At ScaleProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623156(3108-3122)Online publication date: 15-Nov-2023
  • (2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
  • (2021)ERP System for College Automation Using Quick Response CodeInternational Journal of Scientific Research in Science and Technology10.32628/IJSRST2183136(606-612)Online publication date: 6-Jun-2021
  • (2020)Taming the Digital Bandits: An Analysis of Digital Bank Heists and a System for Detecting Fake Messages in Electronic Funds TransferNational Cyber Summit (NCS) Research Track 202010.1007/978-3-030-58703-1_12(193-210)Online publication date: 9-Sep-2020
  • (2019)End-Users and Service Providers: Trust and Distributed Responsibility for Account Security2019 17th International Conference on Privacy, Security and Trust (PST)10.1109/PST47121.2019.8949041(1-6)Online publication date: Aug-2019
  • (2018)A Proposal of Usability Heuristics Oriented to E-Banking WebsitesDesign, User Experience, and Usability: Theory and Practice10.1007/978-3-319-91797-9_23(327-345)Online publication date: 2-Jun-2018
  • (2017)A model for evaluating the security and usability of e-banking platformsComputing10.1007/s00607-017-0546-999:5(519-535)Online publication date: 1-May-2017
  • (2016)Why do people use unsecure public wi-fi?Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust10.1145/3046055.3046058(61-72)Online publication date: 5-Dec-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media