World Usability Day
Well it came and went without much fanfare, but November 14th was World Usability Day (there are some amusing posters at on this link). The first user comment on that blog post is pretty amusing too as it is being sponsored by SAP who apparently the commenter has issues with. Okay, so what does this mean for us in the security world? Here are RSnake’s tenants of security usability:
1) Don’t ask the user to change their password every 30 days and never recycle their password and never use anything that even vaguely resembles something a human could actually remember and then get upset when they write their password down on a sticky note or store it in a automatic form submission program.
2) Don’t tell users that they are “hacker safe” when they aren’t. Guess what, bad guys can make fake graphics that say the same thing about their phishing sites and your site isn’t safe anyway.
3) Don’t force users to install software from a website. The bad guys do the exact same thing and trust me, they aren’t as nice as you are.
4) Don’t rely on users remembering to carry a one time key fob with them every time they want to use your e-commerce site. People put them on keyrings, lend them to other people, loose them, or otherwise break them. That and everyone else is making them do the same thing. Now they have 50 fobs, and they have to remember which to use for what website. Here’s a clue, we’ve seen users who don’t know if the number they are supposed to type in is the one that changes or the serial number on the back. Yes, consumers are that helpless.
5) Don’t ship products that require other products to secure them.
6) Don’t launch an education program that is designed to stop fraud by x%. It’s not going to. Get over it. All you’re doing is wasting the user’s time. They’ll still get phished. If you stopped spending the money on education and fix your broken system you wouldn’t need to do education programs that no one will read.
7) Don’t make crazy elaborate password setups where people have to use their mouse to punch in random numbers on a keypad after remembering some algorithm in their head. Do I really need to explain why?
Don’t expect users to keep their machines up to date with patches. They hate that annoying popup window when they’re playing solitaire.
9) Don’t expect users to make configuration changes to their browser to protect themselves from your poorly designed web-application. They barely know how to click the “internet icon thingy” without their head exploding.
10) and lastly… Stop telling users that their cheapo $50 Office Depot firewall is going to save them. It’s not. They’re screwed.
And that is my small contribution to the security of “world usability day” even if I’m a week or so late. Don’t get too upset, I’m mostly joking anyway. I know everyone will keep doing what they’re doing regardless of how little it’s helping. God bless the free market economy and foolhardy developers.
November 23rd, 2006 at 1:31 pm
I agree with everything you have said. Funny thing is some of the things you pointed out are actually being done on government websites. Unfortunately, the industry believes that consumer education is more important that actually fixing the issues with their sites. And that whole “Hacker Safe” revolution is just another “false sense of security” for consumers. It only benefits the companies that sell the scanning services and the websites that use the images. In the end it’s still the consumer who takes it in the…well you know where….
November 23rd, 2006 at 3:58 pm
I think the above is great. There are soo many things on the above that I have seen happen or have happened to me.
In my college, the network was unbelievably insecure (as most places of education seem to be) where I would have been able to take the network offline within 2 minutes of logging into an account where my actions would have been untraceable to them and keep the network offline for at least the day.
But anyway, back on topic, after a short holiday they had updated a lot of the network so it was more secure and with that they had a new password policy. The policy was that you had to choose a new password every 30 days. The second time I changed my password, I forgot it as I didn’t want to use the same password of anything else I had. So I was blocked out of the network for a day. Then when the password was reset (you are given a generic password for when they’ve done the reset (notice a security flaw here)) I noticed the policy didn’t allow the password to be the same as the last 6. So a few minutes later after changing my password to 111111 then 222222, etc… I had my old (rememorable) password back.
-sorry for the long story
November 23rd, 2006 at 11:28 pm
My point exactly. People will always find a way around your security measure if it makes their life more convenient. We have to stop getting in the way of consumers and embrace how they want to use the web while figuring out a way to protect them at the same time. Making them do anything out of the norm is only going to make them discontinue using your security.
November 24th, 2006 at 1:16 pm
I agree with a lot of what you’ve said. These are some well-considered points.
I take issue with the spirit of #6, though. Some systems are definitely broken, but a lot of times, phishing has little to do with a broken system, and more to do with the innocence of users opening a web page with a close approximation to their bank/savings plan/whatever. In the corporate environment at least, an ounce of prevention really is worth a pound of cure. I’ve recently had the opportunity to assist in revamping the security policy and practices at a .gov I’m working with. As part of that, we’ve re-written the policy to reflect the utility of pass-phrases, and implemented a short training program which explains how to create strong passwords, and basic social engineering practices. Obviously, we include phishing practices as part of the social engineering training, and you wouldn’t believe the number of light bulbs I see go on over people’s heads during the 45 minute session. Training can work; that said, I agree that you can’t specifically quantify as reducing likelihood of compromise by a specific percentage.
November 24th, 2006 at 3:53 pm
So… do you think I (RSnake) would be unable to phish those users after that training if I really felt like it? Care to stake your reputation on it? I sure wouldn’t (even if I had personally done the training). See I completely believe you when you say that lightbulbs went off, because most people know zero about security. But that doesn’t mean they are suddenly safer by sitting through one training class on how to look at the URL bar. In fact, I’ve seen security experts who were phished before. It’s just not as simple as education.
The problem is people THINK they know what they’re doing after a training program, but they are completely unarmed for the reality of even the most subtle exploitation. The spirit of my comment there is that people get the feeling that they are secure but nothing has changed.
I have a similar issue with teaching self defense (not martial arts but self defense classes). Instead of telling them that they have no hope in a fight without years of training these horrible teachers tell them they are safe and should feel empowered by carrying keys in their hand while walking alone at night in a bad neighborhood. Instead they should simply avoid any possibility of getting into a conflict. They should carry a gun whenever possible and always travel in groups. That would actually reduce the possibility of successful attack.
Feeling secure has nothing to do with being secure. It probably CAN help fraud by some small fraction, but the reality is those users are really no better off than when they were before the training statistically speaking. They would be far better off if someone just installed some good anti-phishing software on their machine - thereby spending dollars where it can actually help instead of giving them a false sense of security.
Anyway, go ahead and do your training. It’s not going to hurt anything probably. However, I won’t be suggesting to any Execs that they should be investing their IT budget into anti-phishing training anytime soon.