Schneier on Security
A blog covering security and security technology.
« Hacking Best-seller Lists |
| Nationalism on the Internet »
March 13, 2013
Security Theater on the Wells Fargo Website
Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account holders feel better.
Posted on March 13, 2013 at 1:30 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"it doesn't actually do anything but make account holders feel better." Unfortunately that is more than what most large banks are capable of these days.
Even better, the actual "signing on" and progress bar bits are just animated gifs.
I don't even see where they reticulate my splines. What a farce.
They need to add a "reticulating splines" entry..
If it's just a visual representation of a process that is actually occurring (e.g. setting up an HTTPS connection and submitting the user's username and password over it) then that's not that bad, is it?
You have to give feedback to the user that something is happening. So I'm curious what else do you propose putting in its place?
tim: The actual use case is for a standard web page login. Millions of sites manage logins without a bogus progress bar. If you feel you must give the user some feedback, go ahead give them a "Logging in..." message after they hit the submit button. There's no need for a misleading progress bar or flat-out lying feel-good text.
@tim: If the feedback shown in that progress bar is accurate, then there is no harm in giving it. However, this progress bar is nothing more than a gif that is completely unconnected to what is going on at the back-end, and always shows those texts at constant interval regardless of how long it actually took to login. If they wanted to give accurate feedback rather than trying to fool customers with a fancy progress bar and security jargon, it would not be called "security theater" in the first place.
@tim - A suggestion might be use that 'spare time' to provide some guidance to the user logging in. Maybe "be aware of phishing scams" or "Are your programs up to date?"
This is pure smoke and mirrors which may be based on the reality of the https connection, but is clearly nothing more than a rouse to illicit ill-gotten confidence from the user.
I very much object to this - if their site actually has a problem and connects to cleartext HTTP instead of HTTPS, these gifs will still be shown.
Perhaps more importantly, any fake site set up to look like theirs has to do almost nothing to copy the "security messages" that users are trained to accept.
Everyone wants their internet to be as fast as it can be, so, when people connect to our bank, let's pretend they're on dialup.
My bank, zionsbank.com, switched to the SecureEntry login system several years ago, where you enter your username, get a picture back, if you recognize the picture, then you know you're on their site, instead of a phishing site, and you go ahead and enter the password. Besides the obvious security problems with that, the biggest issue is that they just trashed the system and didn't tell anyone. They claim that they sent me an email, but I don't find it anywhere. So after years of training us to use the picture-based system to ensure we're on the right site, the system changes with no note anywhere on the current site that it was changed. If you call and ask them about it, you hear that you should check your email more often.
"So I'm curious what else do you propose putting in its place?"
I propose something that doesn't train users to believe, "You can look at this gif to ensure that your connection is secure."
Making users believe that a meaningless message is an indication of security is potentially dangerous.
I always thought they were covering their slow login process with this message!Never realized it was just an animated image :)
I have to chime in with the lack of spline reticulation as well.
This may be a way to prevent brute-force attacks. They added a few seconds of delay to each login attempt, but how to make the customers understand that the web page hasn't crashed?
Easy: display an animated GIF! The text displayed is just marketing, and arguably better than a spinning egg timer.
Amusing. Reminds of the old Babylon 5 fan club web site. Someone had the brilliant idea of sticking an animated GIF on the side of the main page: showed a similar sequence of login, then "stopped" with a "connection terminated" message. Fans raised hell with JMS on Compuserve, complaining they couldn't get into the site, that its servers refused them.
But I guess Wells-Fargo will let you "in" no matter what. [grin]
"didn't tell anyone" who hiding from them.
I got a few emails and a couple letters about the switch.
Well it is a "CEO Portal", that's what's in the URL. So I guess the CEOs need security theater too, just like the commoners.
I would call it a security placebo. A placebo can be a great tool to lead people to the right direction if used correctly.
My point was that the gif can be used as a diversion while you wait for logons. The actual logon process seems to take longer than it should, which suggests that it includes a delay to prevent brute-force attacks.
The basic strategy is to make each logon take (for example) 2 seconds, in order to prevent scripts from attempting thousands of username/password combinations per second.
I noticed that Turbo Tax's site does the same thing. After you've already established an SSL session, and after entering your credentials a box pops up and says "Creating A Secure Connection..."
There's plenty of security theatre to be found in both the iphone and android app store too. I especially like the 'securely wipe your device' apps that have a nice, reassuring animated process while supposedly wiping the device but in fact do nothing.
I remember reading a study somewhere that people perceived the waiting time to be less if the application instead of showing a standard progress bar, showed messages saying what it was doing, even if the messages were bogus and had nothing to do with what was actually happening. It seems this would be the case here.
Each time I have logged in to the Wells Fargo site over the last two or three years, I have looked (somewhat skeptically) at that "establishing secure connection" message and idly wondered what it was about. I logged in today (April 9) and noticed that it no longer existed. There is still a message, but it is more "normal looking". It reads simply "Authentication in progress" and lasts only as long as it takes to open the page. So it seems that public exposure of security theater can have positive results.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.