Users, Interfaces, and the Security of Search
A few weeks back ReadWriteWeb (RWW) published a short posting about a deal between AOL and Facebook to integrate Facebook chat with AOL Instant Messenger. RWW went on to discuss its opinion that Facebook was interested in becoming the social networking destination for users, and to prevent mass emigrations that previously struck MySpace and Friendster. In describing this, RWW used the term “one true login”, which would eventually lead to Google giving this blog post a very high position for anyone searching “Facebook login”, and in turn would lead to many confused users trying to login to RWW to get to Facebook. Exasperated Facebook users posted many comments like the following:
The new Facebook sucks> NOW LET ME IN
please give me back the old facebook login this is crazy……………..
Upon review, RWW noticed that traffic to this post was growing above and beyond what they were accustomed to, and that most referrers leading to this page were Google searches for “Facebook login”. In the aftermath, RWW and the security community at large have witnessed a real-world case study on the human factors of security, social engineering, and the trust placed in the familiarity of interfaces.
So what went wrong?
Awareness and Training
Instead of using www.facebook.com or a bookmark, a large number of users utilize their search engines to access well-known sites. Most searches will return benign results repeatedly when the same phrases are entered. But the nature of search engine optimization and the fluidity of rankings can mean that things like Google’s “I’m Feeling Lucky”, or the Firefox address bar default search capability, both of which navigate to the first search result returned, mean that users are placing an implicit trust in search engine rankings. Malware authors realize this and have consistently leveraged this to push malicious software onto users. Search engines are fantastic tools, but automatic navigation is dangerous if the top result is not static.
The second difficulty for users is interface familiarity, or rather a lack of it. Facebook has hundreds of millions of users from a wide spectrum of the population worldwide. With a userbase this large, it is inevitable that a significant quantity of them are not overly comfortable with the nuances of Facebook’s many buttons, menus, and capabilities. It is also inevitable that many users are not generally comfortable using computers at all. Adding to this confusion is Facebook’s relatively common practice of interface redesign. While adjusting layout, controls, and other visual elements is common practice in Web 2.0 development, it does generate a great deal of consternation for many users who are not quick to adapt to change. This is quite evident in the comments on RWW’s blog post, which largely had assumed that their normal means to reach Facebook (via a Google Search to “facebook login”) had led them to an unfamiliar interface, which they believed was another change to their familiar social site (as evidenced by comments like “WHY NOT JUST LEAVE IT ALONE!!!!!!!!!!!1111”).
The third pitfall, which I believe that RWW overlooked in their recap of this situation, is the unfamiliarity of federated login. Atop the RWW comment box is a single sign-on functionality for Facebook, Twitter, and OpenID. The Facebook conduit is Facebook Connect, which when clicked will present users with a familiar Facebook popup and an indication that the user is known by name. If users cannot understand that logging in to RWW via Facebook does not mean that they are on Facebook currently, then attackers mimicking this capability could easily bilk users out of credentials or other sensitive information. Therefore it should be no surprise that users who are capable of familiar computer use but otherwise slow to adapt to change would be confused by this whole scenario:
- They used their daily routine to find Facebook, via Google search.
- They appeared on a page that had a noticeably different appearance, but were accustomed to being forced into change.
- They were presented with an article about Facebook and AOL, which had an opening similar to a press release or general announcement.
- At the bottom of the page was a section to “Sign in with Facebook”, followed by a comment box — Facebook’s primary interface element.
This incident should not necessarily reflect negatively on any of the component parts. It is simply the reality of today’s Internet. Computers and information are accessible to more and more people everyday, and have cemented their place as a necessity for many, if only for entertainment or social value. However, they remain daunting and complex for large portions of the population, and the web itself is a cacophony of distinct user interfaces. Much of the work in security centers around user education and awareness, and improving these will face many challenges if this confluence of errors is any indication.