Category: User experience


Permalink 03:51:21 pm, by Igor Drokov, in User experience, Strong authentication, Internet banking  

So you want to do transaction signing to protect against online banking Trojans? Here is a few videos to help to compare usability of the options.


Permalink 07:42:01 pm, by Igor Drokov, in User experience, Online identity  

A lot is written on privacy implications of sharing your personal information with different web services. Concerns have been raised about the ownership of information users upload in "the cloud" and it's persistence.

One recent experiment demonstrated that once you have used an online service to share your photos it might be problematic to remove them even when you choose:

My colleagues Jonathan Anderson, Andrew Lewis, Frank Stajano and I ran a small experiment on 16 social-networking, blogging, and photo-sharing web sites and found that most failed to remove image files from their photo servers after they were deleted from the main web site. It’s often feared that once data is uploaded into “the cloud,” it’s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.

Well, maybe deleting a single photo is too small of an operation to expect the site to really make sure it's gone forever. Surely, one would hope that once you de-register your whole account, it will be gone for good?

I have recently tried to close my Facebook account. According to Facebook's privacy policy:

Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

OK, I understand purging backup copies is probably asking too much for a user. However, I was surprised to receive the following email after deactivating my account:

You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to.

The Facebook Team

Indeed, trying to click on the "resurrect" link I found myself back to my profile with all connections and personal information intact.

OK, maybe having a "grace" period for users deactivating their accounts on the spur of the moment is a good feature. So I deactivated my account again and this time left it for almost a month. Yet, today I was able to successfully login to my surely-by-now-non-existent account and found all my connections and information intact as it was...

Welcome to the Hotel California 2.0:

"You can checkout any time you like, But you can never leave!"


One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.


Permalink 03:50:13 pm, by Igor Drokov, in User experience, Strong authentication  

Trusted path is quite a common term in security research. It is the basis of many security protocol and application designs, and a security breach of it is one of the most common attack vectors.

This week, the Security Group published their findings on the vulnerability of PIN entry devices (PEDs) currently deployed in the UK (details available in their technical report). The vulnerability arises partially from insufficient protection of the PEDs from tampering and partially from communications between the card and the device not being encrypted. This effectively breaks the trusted path between customer's card and the retailer's terminal/card processing network. You can watch the BBC Newsnight program covering this.

This week we (Cronto) have also made an announcement about potential vulnerabilities of Chip and PIN based authentication for online banking. Whilst the CAP readers deployed by the UK banks can provide transaction authentication, there is still a weak link. If the user is tricked into entering incorrect details into the CAP reader then they could be inadvertently authorising a fraudulent transaction. Whilst the possibility of this happening might seem remote, our analysis of existing systems shows otherwise. Again, the threats arise because there is no trusted path from the bank to the user's card/reader as the attacker can manipulate the presentation of the bank's website to the user.

The trusted path issue is common to all consumer payments industry applications: from ATMs with added PIN pads and tampered retail terminals to man-in-the-browser'ed banking websites. The problem is also increasing with the growth of the payments industry, and any potentially successful solution requires a new approach based on innovation rather than attempts to patch the holes in the old protocols.

These issues are already a subject of both academic research and commercial product development. Some see a solution in the USB tokens with strong security protocols, some suggest the mobile phone based PKI certificates are the answer. At Cronto, we believe the visual channel is the best way to go.

<!-- If you are offended by a commercial company being passionate about its product and advocating innovation in a traditionally very conservative industry, you can stop reading now -->

We believe that our visual cryptogram can provide a trusted path from a bank to the customer in the way which is both secure and simple for consumers.

Cronto Visual Cryptogram

We chose the visual channel for the following reasons:

  • The image can contain encrypted data
  • Most end user terminals can display images: from ATMs to Train Ticket machines to websites, no hardware modifications are needed
  • Taking a picture of the terminal is easy for the user
  • Any personal device can be used: a camera phone, a dedicated camera token or, potentially, a CAP reader, and even a credit card itself extended with a camera and our algorithms running on the chip
  • Both attack vectors – the data in transfer being tampered with, and the user typing incorrect information – are mitigated


Permalink 11:24:29 am, by Igor Drokov, in Security thoughts, User experience, Online identity  

On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.

As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.

Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:

Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.

Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.

Club: "There must be positive Government guidance pushed to users;"


8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Club: "Government advice must be from a single point of contact;"


8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.

Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"


8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

Club: "Software produces must take more care when writing software to avoid bugs in the first place;"


8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"


8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?

:: Next Page >>