Written by Rachna Dhamija of Harvard and J.D. Tygar and Marti Hearst of Berkeley, the paper asserts that existing anti-phishing cues are ineffective. What most concerned the researchers was that PC users are not utilizing the secure sockets layer (SSL) indicators designed to help them determine a site's trustworthiness.
In a usability study, they found that 23 percent of participants only used a website's content to determine its legitimacy and an additional 36 percent used only content and domain name. Many of those that did use padlock and certificate indicators did not always understand how these work, and when presented with well-designed phishing sites, they were unable to identify them as fraudulent.
A different approach is needed in the design of website security systems, the researchers concluded.
"Rather than approaching the problem solely from a traditional cryptography-based security framework, a usable design must take into account what humans do well and what they do not do well," they wrote.
They offered several concrete suggestions to developers. Most pressing, they said, was the need for security indicators to appear when users are at an untrusted site - rather than just at trusted sites.
Users often forget about security indicators in their absence, which is often when they are most needed, Dhamija, Tygar and Hearst said.