Usable Security

Time for another challenge.  Today, I’d like to describe what I call the “Simon Says” problem.

A Simon Says problem occurs when the safe course of action requires the user to respond to the absence of a stimulus.

(”Simon Says” refers to the children’s game in which a leader calls out commands to a group of players.  Any command that begins with “Simon says” must be followed, and any command that does not begin with “Simon says” must not be followed.  If the leader says “Simon says, touch your toes,” anyone who doesn’t touch their toes immediately is out of the game, but if the leader says only “Touch your toes,” anyone who touches their toes is out of the game.)

Typically a leader will try to catch people out with a rapid-fire series of “Simon says” commands to get players into the habit of responding quickly, then a plain command.  What makes the game tricky is that the players have to notice the absence of the words “Simon says.” Noticing the absence of something is tricky, especially if the missing thing is unrelated to the primary task (in the case of the game, the words “Simon says” are unrelated to the command).

User interfaces often present a similar challenge.  When an interface has some sort of security indicator (like a padlock icon, for example), the indicator really means “You can do things normally,” and when the indicator is missing the user is supposed to be cautious.  That’s a Simon Says problem.

Visa’s “Verified by Visa” program, which adds an extra password-checking step to online credit card purchases, tries to fight spoofing by asking the user to supply a secret phrase that will be displayed on password forms.  The idea is that only Visa knows the secret phrase, so if you see the phrase you know that it’s really Visa asking for your password, not an impostor.  Visa isn’t the only one — several financial institutions are trying out schemes like this.  But again, such schemes present the user with a Simon Says problem.  The absence of the secret phrase is supposed to cause the user to mentally sound the alarm.

The “Simon Says” game and login-spoofing attacks both exploit an especially severe form of the Simon Says problem, in which the user is expected to respond to the absence of something with the absence of an action.  Such a situation is doubly troublesome for humans.

Phishing attacks combine the Obedience to Authority problem with the Simon Says problem.  In order for a user to successfully evade a phishing attack, using current browsers or even with many of the proposed anti-phishing tools, a very weak stimulus (the lack of something) has to override a strong impulse (the compulsion to obey an authority).  The odds are stacked against the user.

Is a Simon Says problem solved simply by inverting the sense of the indicator?  Sometimes, but it might not be that easy.  For example, if browsers showed a lack-of-encryption indicator instead of an encryption-present indicator, that would probably be an improvement.  But since (at least for now), most web sessions are not encrypted, the lack-of-encryption indicator would be on most of the time.  A loud indicator such as the one shown by TrustBar might come to be ignored after a while.  And a warning dialog would be next to useless, since many users have had lots of practice clicking “OK” as quickly as possible without reading.  A better strategy might be to always show some type of indicator and have it look obviously right when things are right and obviously wrong when things are wrong.

This entry was posted on Saturday, July 23, 2005 at 12:31 under Opinions, Spoofing. You can leave a comment here or trackback from your own site. Use the comment feed to follow comments on this entry.