Havard and MIT have released the results of a study into online security indicators.

As the New York Times reports, the study showed that 58 out of 60 BoA customers happily continued on through their banking tasks, despite the SiteKey image being missing.

“The idea is that if customers do not see their [personalised SiteKey] image, they could be at a fraudulent Web site, dummied up to look like their bank’s, and should not enter their passwords.”

Although I havn’t read the paper, it is fairly obvious that more effort needs to go into user education. This is evident by the success of viruses and spyware - most of which now require the user to take some form of action (opening an attachment, or authorising an install) on modern up-to-date PCs.

Of course - social engineering comes into it, which is something so very difficult to teach people about. So many people also tend to “leave the brain at the door” when it comes to computers.

Perhaps some of the blame can be laid with the IT industry. In the end though, it really doesn’t matter how well you design a system. User education is the key.

On a side note:
It’s part of the reason why I’d love to implement Internet Licensing requirements. I’m only partly kidding by the way - some people should be banned from touching an internet connected computer.

(via Slashdot)