YES. And a huge bank in the Netherlands recently found out.
Error messages are usually hardly elaborated by specifiers and analysts. They don’t really care about them. And when they are described, it is often from the viewpoint of the system, and not the user.
We love to tell the user how stupid s/he is for not understanding the system. Think of messages like: “Wrong date; Invalid e-mail address”. Or even worse, the message contains a security leak.
The problem with the Dutch bank was that when logging into the system, a code was required. After three invalid attempts, the account was blocked and an error message was returned. Something like:”Your account is blocked”. However, if you tried again with the correct code, the error message was different:”This code is blocked”. Easy target for a brute force attack! As now you know the code.
Lesson to be learned:
Error messages are important! As this example shows, it was the weakest security link. And not only for this situation… but most of the times users find themselves in a situation they did not meant to be in, and they need assistance from the error messages. So let’s give it to them, and pay a bit more attention to the error message.