Dynamic Security Skins or DSS emerged about one year ago and sparked some debate on several places. Some were critics of DSS because its effectiveness depended upon a widespread adoption both from browser developers and web site owners. It was unlikely and it has not happened yet.

I was reminded of DSS by the depressing results of this survey pointed by Bruce Schneier here. Phishing works!

This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent.

We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

I don’t think DSS is a bad idea to fight phishing and there could be situations where it will be a very good solution. Nonetheless I very much doubt the reliability of a one-size-fits-all approach when security is involved.

For example, the trust relationship between a bank’s customer and the bank’s web site should be built, nurtured and fostered by both parties and it takes more than simply displaying some visual indicators. It should involve out-of-band communications, face-time, proactive customer service and so on.