Findings

The interviewees came with a number of ideas and thoughts under the test about the Petname System, the OffPAD and phishing in general.

We will now go through the points from the interviews and discuss the interviewees comments and feedback.

As mentioned earlier we used the name OffPAD for the device on the table and Petname System for the application. It resulted in that the subjects mostly used the word OffPAD for both. It is of no inconvenience as in this test and interview it is the same thing.

Test without the OffPAD

Four of the subjects noticed a phishing site. The only one in group A said that he or she always checked the URL. In group B two of the subjects found the phishing site because they expected to find one. Both claim in the interview they noticed something they considered to be abnormal, but in fact were completely correct. The first person thought the URL was too long even if it was exactly the same length as the original, the other read fakebookinstead offacebook.

The last person in group B noticed the phishing site without the OffPAD right away. He or she did also pinpoint the phishing site before trying to log into it in the exercise with the OffPAD.

Test with the OffPAD

Every subject reacted on the alert message from the OffPAD when they entered their user name and password into the phishing site. One let the request continue even if he or she noticed the difference in the domain names. When asked why this was done, we got the answer "it was just to see what happened". This illustrates the problem of invoking the curiosity of internet users; they will click.

How vigilance changed

Most of the subjects reported a higher vigilance after the first phishing site was found. Two said that they did not get more vigilant, as they were always vigilant when using the Internet. It was the same subjects that found the phishing site before the OffPAD gave any indication.

As this is a constructed environment and actions, which makes the subject suspicious and likely to expect another phishing attack after the first. How long this heightened vigilance would last in a normal environment is hard to say. We suspect the vigilance would decrease to a normal level in a couple of hours after a failed attack.

Sense of security with the OffPAD

The change in the sense of security between with and without the OffPAD varied from equal to a heighten sense with the OffPAD. Those who had an equal sense of security said it did not add much to what they already did themselves. Or the subjects had certain habits when it came to what websites they usually visits and rarely deviated from these.

The subjects who felt safer described the OffPAD as an extra precaution when surfing the internet.

Impact on daily internet use

None of the subjects mentioned any direct negative implications by using an OffPAD. Most did not think this system would change their behaviour.

Here they reiterated the use of web browser bookmarks and writing the address themselves as a reason.

It was also mentioned that the Google search engine was used to find websites on the internet. Google is very efficient to remove suspected phishing and malware sites. They also give the most popular results first, which usually is the correct site.

One of the important points mentioned by one of the subjects was that a Petname System might make him or her indirectly more reckless on the internet. It enlightens a flaw in the implementation. In the way this Petname System is implemented (e.g. not responding to GET-requests) it can give a false sense of security, making them an easier target for phishing attacks.

Devices to use

All the subjects had a negative attitude to a device like the TazCard that only supplied a Petname System. One of the subject would probably use a solution like this for important sites like the Bank and e-Government if it was available, but not for web mail and social networks. Two subjects mentioned that they would have considered it if it was in the size of a key chain. A fourth subject pointed out"Who would pay for this junk?". It is a fair question as such a device might be just as expensive as a simple smart phone.

Most of the participants were positive to a multi purpose authentication device, as this could limit the number of required devices to one. One participant had a different approach to this; he or she said they would be more sceptical to a device with all of their credentials. "If it got lost you get more problems", referring to if someone takes the device and manages to unlock, it they can access every service a user is using. It shows the importance to have a good and simple revocation system in place, which the users have confidence in.

The most preferable solution for all the participants was to use their mobile phone in one way or another. One added"If it goes seamlessly. Can use some time in the beginning to set it up. (...) As long as you do not need to do any action if the site is already known". It shows that a Petname System would be used if it is does not require much user interaction when pages is known and everything is normal.

All the subjects wanted the device to be wireless and not connected with a cable as the TazCard was in this experiment. It should not be necessary to take it out of the pocket or backpack, when it was going to be used.

The threat of phishing

The answers from the participants regarding their awareness to phishing attacks showed that this was not high on their agenda. Most of them did not care or did not believe it would happen to them. The reason was that they mostly used their own bookmarks or typed the domain name themselves when logging in to a site.

There was one exception, where phishing was regarded as a big threat.

"You can loose much if you get phished". This person also mentioned indirectly to have been a target for a phishing attack. It was easy to see that this person was more aware, because he or she discovered all the phishing sites before the Petname System could react.

They all considered that the possibility to be a directly targeted in a spear phishing attack as very unlikely.

Usability of the prototype

All the participants had a positive impression of the prototype. The feedback ranged from"It’s all right" to"Surprisingly good". Size was also mentioned here, it has to be smaller. It also got positive remarks on its response time.

A participant pointed out "It was intuitive and easy to use (...) for me it was no problems, but if you are not a technical person it might be a bit hard".

It did not seem to cause any problems for the two non-technical persons participating in this study.

Summary

The key findings from this test and related interviews can be summarised as the following:

• A Petname System can help to discover phishing sites.

• The Petname System did indirectly teach the users what to look for.

• The device used should either be a mobile phone or a small device.

• The user must be aware of the limitations of the Petname System.

Chapter 6

Conclusion

We have in this thesis discussed different methods and technologies that can help to ensure the user’s security on the Internet. In the course of this thesis we have answered our research questions from Section 1.4 on page 3.

We have described the challenges of cognitive entity authentication on the internet today, as well as describing a system that protects users from giving away their personal information to unknown and potentially malicious websites. The external Petname System has been developed, tested and evaluated as planned.

6.1 Cognitive Service Authentication

There is absolutely a need for a user to be able to performcognitive entity authenticationof service providers. Because more of the technical client-to-service solutions available can be mimicked or even bought by the attacker in a legal way (e.g. SSL certificates). There is also a problem of user awareness about security limitations in systems widely available today. It could be introduced as a system to help users in their assessment of security factors, both as a mean to educate and to secure users.

When the management and operation of a system is placed on the users side, it gets hard for a man-in-the-middle to be able to fool the system with a proxy solution. For same reason such a system will also be superior to most of the solutions of user personalisation described in Section 2.2.4 on page 21.

The Petname System is a proven and working concept. If available, it will help a user to ensure stronger security. As the system focuses on the domain name it might be interesting to combine this with DNSSEC, which uses cryptological functionality to validate the DNS integrity.

Certificates will still be used to ensure a secure channel between the service and the client. It cannot be expected of a user to actually open the certificate to check if it is valid, the mental load will be too high. Just the process for a user to check if the SSL-indicator is present and remember this to the next time he or she accesses the same site, gives a too high mental load for the user. Which can be a part of the explanation for the number of people not noticing the SSL-indicator.