Cognitive passwords: the key to easy access control
Computers and Security
The cognitive walkthrough method: a practitioner's guide
Usability inspection methods
NSPW '96 Proceedings of the 1996 workshop on New security paradigms
Communications of the ACM
A note on proactive password checking
Proceedings of the 2001 workshop on New security paradigms
An Evaluation of Internet Banking in New Zealand
HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
Patching is alive and, lamentably, thriving in the real-time world
ACM SIGPLAN Notices
Building security and trust in online banking
CHI '05 Extended Abstracts on Human Factors in Computing Systems
The user non-acceptance paradigm: INFOSEC's dirty little secret
NSPW '04 Proceedings of the 2004 workshop on New security paradigms
User-Centered Security: Stepping Up to the Grand Challenge
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
HICSS '06 Proceedings of the 39th Annual Hawaii International Conference on System Sciences - Volume 06
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
SubVirt: Implementing malware with virtual machines
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Password management strategies for online accounts
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Decision strategies and susceptibility to phishing
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
The social dimensions of the security of internet banking
Journal of Theoretical and Applied Electronic Commerce Research
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
The Use of Attack and Protection Trees to Analyze Security for an Online Banking System
HICSS '07 Proceedings of the 40th Annual Hawaii International Conference on System Sciences
Compliance defects in public-key cryptography
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Secure software updates: disappointments and new challenges
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Empirical studies on software notices to inform policy makers and usability designers
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
Personal knowledge questions for fallback authentication: security questions in the era of Facebook
Proceedings of the 4th symposium on Usable privacy and security
Choose the red pill and the blue pill: a position paper
Proceedings of the 2008 workshop on New security paradigms
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Where do security policies come from?
Proceedings of the Sixth Symposium on Usable Privacy and Security
We challenge you to certify your updates
Proceedings of the 2011 ACM SIGMOD International Conference on Management of data
Hi-index | 0.02 |
Online banking is one of the most sensitive tasks performed by general Internet users. Most traditional banks now offer online banking services, and strongly encourage customers to do online banking with 'peace of mind.' Although banks heavily advertise an apparent '100% online security guarantee,' typically the fine print makes this conditional on users fulfilling certain security requirements. We examine some of these requirements as set by major Canadian banks, in terms of security and usability. We opened personal checking accounts at the five largest Canadian banks, and one online-only bank. We found that many security requirements are too difficult for regular users to follow, and believe that some marketing-related messages about safety and security actually mislead users. We are also interested in what kind of computer systems people really use for online banking, and whether users satisfy common online banking requirements. Our survey of 123 technically advanced users from a university environment strongly supports our view of an emerging gap between banks' expectations (or at least what their written customer policy agreements imply) and users' actions related to security requirements of online banking. Our participants, being more security-aware than the general population, arguably makes our results best-case regarding what can be expected from regular users. Yet most participants failed to satisfy common security requirements, implying most online banking customers do not (or cannot) follow banks' stated end-user security requirements and guidelines. The survey also sheds light on the security settings of systems used for sensitive online transactions. This work is intended to spur a discussion on real-world system security and user responsibilities, in a scenario where everyday users are heavily encouraged to perform critical tasks over the Internet, despite the continuing absence of appropriate tools to do so.