Where to Look for What You See Is What You Sign? User Confusion in Transaction Security

The What You See Is What You Sign (WYSIWYS) scheme is a popular transaction verification method in online banking which is designed to prevent fraud even if the transfer-issuing device is compromised. To evaluate its practical effectiveness, we asked 100 online banking customers to pay two invoices by credit transfer. The second transfer was attacked by secretly replacing the beneficiary’s account number and displaying the fraudulent transaction details on the confirmation page that asks a customer for a one-time password as generated by their second factor device. The attacked authentication method was the same the participants also use in private with their principal bank. Our attack is highly effective and causes many participants to use the fraudulent details displayed onscreen for verification instead of the original invoice. On top of that, a majority did not verify their transactions at all. Participants with a technical background and experience with certain as well as multiple transaction authentication methods were seen to be less likely to fall victim to the attack.

[1]  Gianluca Stringhini,et al.  Are Payment Card Contracts Unfair? (Short Paper) , 2016, Financial Cryptography.

[2]  Petter Laake,et al.  Recommended tests for association in 2×2 tables , 2009, Statistics in medicine.

[3]  Scott Ruoti,et al.  A Tale of Two Studies: The Best and Worst of YubiKey Usability , 2018, IEEE Symposium on Security and Privacy.

[4]  Serge Egelman,et al.  The Importance of Being Earnest [In Security Warnings] , 2013, Financial Cryptography.

[5]  Bruce Schneier,et al.  Stop Trying to Fix the User , 2016, IEEE Secur. Priv..

[6]  Marko C. J. D. van Eekelen,et al.  What You Enter Is What You Sign: Input Integrity in an Online Banking Environment , 2014, 2014 Workshop on Socio-Technical Aspects in Security and Trust.

[7]  Engin Kirda,et al.  Insights into User Behavior in Dealing with Internet Attacks , 2012, NDSS.

[8]  Umberto Spagnolini,et al.  FraudBuster: Temporal Analysis and Detection of Advanced Financial Frauds , 2018, DIMVA.

[9]  L. Jean Camp,et al.  Why Johnny Doesn't Use Two Factor A Two-Phase Usability Study of the FIDO U2F Security Key , 2018, Financial Cryptography.

[10]  Y. Benjamini,et al.  Adaptive linear step-up procedures that control the false discovery rate , 2006 .

[11]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Emiliano De Cristofaro,et al.  "They brought in the horrible key ring thing!" Analysing the Usability of Two-Factor Authentication in UK Online Banking , 2015, ArXiv.

[13]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[14]  Elizabeth Sillence,et al.  Using the health belief model to explore users' perceptions of 'being safe and secure' in the world of technology mediated financial transactions , 2014, Int. J. Hum. Comput. Stud..

[15]  Yuewu Wang,et al.  TrustOTP: Transforming Smartphones into Secure One-Time Password Tokens , 2015, CCS.

[16]  Torben P. Pedersen,et al.  WYSIWYS? - What you see is what you sign? , 1998, Inf. Secur. Tech. Rep..

[17]  Bryan Watson,et al.  On the User Awareness of Mobile Security Recommendations , 2017, ACM Southeast Regional Conference.

[18]  Bonnie Brinton Anderson,et al.  How Polymorphic Warnings Reduce Habituation in the Brain: Insights from an fMRI Study , 2015, CHI.

[19]  Heather Rosoff,et al.  Behavioral Experiments Exploring Victims' Response to Cyber-based Financial Fraud and Identity Theft Scenario Simulations , 2014, SOUPS.

[20]  Ulrike Schmuntzsch,et al.  Fraud Protection for Online Banking - A User-Centered Approach on Detecting Typical Double-Dealings Due to Social Engineering and Inobservance Whilst Operating with Personal Login Credentials , 2016, HCI.

[21]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[22]  Audun Jøsang,et al.  An Experimental Investigation of the Usability of Transaction Authorization in Online Bank Security Systems , 2008, AISC.

[23]  Ahmad-Reza Sadeghi,et al.  hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers , 2011, Financial Cryptography.

[24]  John A. Clark,et al.  F for fake: four studies on how we fall for phish , 2011, CHI.

[25]  George R. S. Weir,et al.  From ZeuS to Zitmo: Trends in Banking Malware , 2015, TrustCom 2015.

[26]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.