June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

Slides:

Advertisements

Similar presentations

My System Profile and Password Reset Instructions PART 1 For every Core-CT User ID follow these steps to use the Automated Password Reset feature: 1.Log.

Advertisements

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)

Internet Phishing Not the kind of Fishing you are used to.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Using Digital Credentials On The World-Wide Web M. Winslett.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Radoncssi.org Google based IT infrastructure Alf Siochi.

Web Browser Security Team iBrowse Sha-Myra Richardson John Darr.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Safe online shopping Suitable for: Improver.

Trust and Semantic Attacks- Phishing Hassan Takabi October 20, 2009.

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

Hosted Exchange The purpose of this Startup Guide is to familiarize you with ExchangeDefender's Exchange and SharePoint Hosting. ExchangeDefender.

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

March 2007 | Prague 1 Technical University of Vienna Politecnico di Milano Engin Kirda Christopher Kruegel Angelo P.E. Rosiello AntiPhish: An Anti-Phishing.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?

Reliability & Desirability of Data

Dummy Screens for Online Pre-enrolment Process 1. To perform the pre-enrolment process, please go to the “Pre-enrolment” section under the tab “Survival”

Santa’s s By Becky.

CMU Usable Privacy and Security Laboratory Phinding Phish: An Evaluation of Anti-Phishing Toolbars Yue Zhang, Serge Egelman, Lorrie.

CPSC 203 Introduction to Computers Lab 23 By Jie Gao.

The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Lecture 6 Title: Web Planning, Designing, Developing for E-Marketing By: Mr Hashem Alaidaros MKT 445.

Dummy Screens for Online Pre-enrolment Process 1. To perform the pre-enrolment process, please go to the “Pre-enrolment” section under the tab “Survival”

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.

Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.

How Phishing Works Prof. Vipul Chudasama.

Prepared By : Md Jakaria 1 Learn Internet Basics LECTURE 7.

Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.

A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

Password Reset Instructions PART 1 The following set-up tasks must be performed first in order to use the Automated Password Reset feature. 1.Log into.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

E-commerce Security By John Doran. What is e-commerce?  the buying and selling of products or services over the internet [3].  Most e-commerce transactions.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

Executive Summary - Human Factors Heuristic Evaluation 04/18/2014.

Schools-On-I-Net and Google Apps for Education. Good-bye Yellow, Hello Blue Effective July 1, 2008.

Return to the PC Security web page Lesson 4: Increasing Web Browser Security.

Yahoo Help Phone Number Get Instant Help.

Managing Money Workshop The National Autistic Society AGM

1 Microsoft Access Security Warnings Note: This presentation was created with "Access 2002". You might have slightly different warnings with other versions.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Analysing s Michael Jones. Overview How works Types of crimes associated with Mitigations Countermeasures Michael Jones2Analsysing s.

How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.

Password Reset Instructions

Conveying Trust Serge Egelman.

How to Check if a site's connection is secure ?

Yahoo Support Ireland Toll-Free Number:

Password Reset Instructions

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Personal Privacy and the Public Internet

Presentation transcript:

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint work with Simson Garfinkel, Greg Little

June 19, 2006TIPPI22 Do Security Indicators Work? ?

June 19, 2006TIPPI23 Security Indicators Don’t Work Users don ’ t know what to trust –Web page often looks more credible than indicator Security is a secondary task –Users don ’ t have to pay attention to the indicators, so they don ’ t Indicators aren ’ t reliable –Sloppy but common web practices make them inaccurate Current indicators only say “ don ’ t go there ” –So where should I go instead?

June 19, 2006TIPPI24 Our Approach: Web Wallet

June 19, 2006TIPPI25 Outline Security toolbar study [CHI ’ 06] Web Wallet [SOUPS ’ 06] –Demo –Design principles –User study Related work

June 19, 2006TIPPI26 Three Kinds of Toolbar Information SpoofStick Netcraft Toolbar Neutral-information Toolbar eBay’s Account Guard SpoofGuard System-decision Toolbar SSL-verification Toolbar TrustBar

June 19, 2006TIPPI27 Study Design Study should reflect the “ secondary goal property ” of security –In real life, security is rarely a user ’ s primary goal Users must be given tasks other than security –“ In this study, you are the personal assistant for John Smith. Here are 20 forwarded s from him. ” Tasks involve security decisions –John ’ s s ask the user to manage his wish lists at various e-commerce sites, which require logging in to the sites

June 19, 2006TIPPI28

June 19, 2006TIPPI29 Phishing Attacks in the Study 5 of the 20 s are attacks, e.g.: Similar name attack IP address attack Hijacked-server attack Bestbuy.com  Bestbuy.com  Bestbuy.com 

June 19, 2006TIPPI210 Results Neutral information System decision SSL verification

June 19, 2006TIPPI211 Why Were Users Fooled? Users explain away indicators of attacks – “ a subdirectory of Yahoo, like mail.yahoo.com ” –sign.travelocity.com.zaga-zaga.us: “ must be an outsourcing site [for travelocity.com]. ” – (phishing for buy.com): “ sometimes I go to a website and the site directs me to another address which is different from the one I have typed. ” – : “ I have been to sites that used IP addresses. ” –Potential fraudulent site: “ it is triggered because the web content is ‘ informal ’, just like my spam filter says ‘ this is probably a spam. ’” –New Site [BR]: “ Yahoo must have a branch in Brazil. ”

June 19, 2006TIPPI212 Why Were Users Fooled? Users had the wrong security model –“ The site is authentic because it has a privacy policy, VeriSign seal, contact information, and the submit button says ‘ sign in using our secure server ’. ” –“ If a site works well with all its links, then the site is authentic. I cannot imagine that an attacker will mirror a whole site. ” Security was not the primary goal –“ I noticed the warning. But I had to take the risk to get the task done. ” –“ I did look at the toolbar but did not notice the warning under this attack. ”

June 19, 2006TIPPI213 Why Do Security Indicators Fail? Attack is more credible than indicator –Web page has richer cues than browser toolbar Security is a separate, secondary task –Primary task wins –Separate security task is ignored Sloppy but common web practices allow the user to rationalize the attack –Users do not know how to correctly interpret the toolbar display Advising the user not to proceed is not the right approach –We need to provide a safe path

June 19, 2006TIPPI214 Our Approach: Web Wallet Redesign browser UI so that the user ’ s intention is clear –“ Log in to bestbuy.com ” –“ Submit my credit card to amazon.com ” Block the action if the user ’ s intention disagrees with its actual effect –But offer a safe path to the user ’ s goal Integrate security decisions into the user ’ s workflow –So they can ’ t be ignored

June 19, 2006TIPPI215 Web Wallet DEMO

June 19, 2006TIPPI216

June 19, 2006TIPPI217

June 19, 2006TIPPI218

June 19, 2006TIPPI219

June 19, 2006TIPPI220

June 19, 2006TIPPI221 Web Wallet Design Principles Determine the user ’ s intention Respect that intention

June 19, 2006TIPPI222 Design Principles Integrate security UI into the user ’ s workflow Improve usability as well as security

June 19, 2006TIPPI223 Design Principles Use comparisons to put information in context Ask user to choose, not just “ are you sure? ”

June 19, 2006TIPPI224 Web Wallet User Study Same scenario as the toolbar study No tutorial 30 users –Internet Explorer alone (10 users) –Web Wallet (20 users) 5 phishing attacks –IE group saw only similar-name attacks, e.g.: –Web Wallet group saw Wallet-specific attacks bestbuy.com 

June 19, 2006TIPPI225 Attacks Against the Web Wallet 1. Normal attack 3. Onscreen-keyboard attack 2. Undetected-form attack

June 19, 2006TIPPI226 Attacks Against the Web Wallet 4. Fake-wallet attack

June 19, 2006TIPPI227 Attacks Against the Web Wallet 5. Fake-suggestion attack

June 19, 2006TIPPI228 Results

June 19, 2006TIPPI229 Which Features Helped? Site description stopped 14 attacks (out of the 22 attacks where it was seen) Choosing interface stopped 14 (out of 14 attacks where seen)

June 19, 2006TIPPI230 Spoof Rate by Attack Type

June 19, 2006TIPPI231 Fake-Wallet Attack Web Wallet utterly failed to prevent the fake-wallet attack (spoof rate 64%) Users had the wrong mental model for the security key Spoofing is still a problem, since the Web Wallet itself can be spoofed –Dynamic skin –Personalized image –Active observer? Press F2 before you do any sensitive data submission Press F2 to open the Web Wallet

June 19, 2006TIPPI232 Related Work Dynamic security skins (Dhamija & Tygar) Microsoft InfoCard (Cameron et al) PwdHash (Ross et al) Password Multiplier (Halderman et al) GeoTrust TrustWatch

June 19, 2006TIPPI233 Summary: Antiphishing UI Design Principles Get the user ’ s intention Respect that intention Integrate security decisions into the user ’ s workflow Compare-and-choose, don ’ t just confirm More information at: