An MIT and Harvard study (via Slashdot) unveils that the SiteKey system employed by Bank of America, ING Direct and Yahoo!, among others are likely ineffective at protecting users against fraudulent sites. The SiteKey system is based on assigning an image to a user’s account and presenting it prior to the user entering a password. If the SiteKey does not match the user’s account image, he/she should deduce that the site is not authentic, and thus not safe to enter private information. The results of the study (based on Bank of America site and users) shows that a vast majority of people ignore the SiteKey clues along with the often-overlooked HTTPS indicators. In fact, only 2 of the 25 (8%) participants using their own account, and none of the other 42, chose not to enter their passwords when the site-authentication image was replaced by an upgrade message.
Another interesting finding in the study was the contrast between behaviors of participants that were role playing for the study and those that were actually inputting sensitive information. Definitely worth a read and the final paper is set to appear at the IEEE Symposium on Security and Privacy from May 20-27, 2007 in Oakland, California.