Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Slides:



Advertisements
Similar presentations
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Advertisements

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
1 Identity Theft and Phishing: What You Need to Know.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.
C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security: Trust, Phishing, and Pervasive Computing Jason I. Hong Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
Usable Privacy and Security: Trust, Phishing, and Pervasive Computing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory Power Strips, Prophylactics, and Privacy, Oh My! Julia Gideon, Serge Egelman, Lorrie.
Usable Privacy and Security Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Privacy Preferences Edgardo Vega Usable Security – CS 6204 – Fall, 2009 – Dennis.
Social impacts of the use of it By: Mohamed Abdalla.
Alisha Horsfield INTERNET SAFETY. firewall Firewall- a system made to stop unauthorised access to or from a private network Firewalls also protects your.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Staying Safe Online Keep your Information Secure.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
CMU Usable Privacy and Security Laboratory Phinding Phish: An Evaluation of Anti-Phishing Toolbars Yue Zhang, Serge Egelman, Lorrie.
11 CANTINA: A Content- Based Approach to Detecting Phishing Web Sites Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/6/7.
Anti-Phishing Approaches Lifeng Hu
Digital Citizenship Project By Lacy Brown. Netiquette Netiquette is etiquette for the internet. Netiquette is etiquette for the internet. You should be.
11 A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval Reporter: 林佳宜 /10/17.
Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
C MU U sable P rivacy and S ecurity Laboratory User Interfaces and Algorithms for Fighting Phishing Steve Sheng Doctoral Candidate,
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
OCR Nationals Unit 1 – ICT Skills for Business. Using in business What bad practice can you see in this ? Annotate your copy.
Usable Privacy and Security and Mobile Social Services Jason Hong
Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.
C MU U sable P rivacy and S ecurity Laboratory Trust and Semantic attacks Ponnurangam Kumaraguru (PK) Usable, Privacy, and Security.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Usable Privacy and Security.
Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.
Goals Be able to identify the parts of a URL Determine the safeness of a link Know the best places to find the info you need Know how to deal with toolbars.
Computer Security Keeping you and your computer safe in the digital world.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Protect Your Computer Against Harmful Attacks!
CSCD 303 Essential Computer Security Fall 2017
Teaching you NOT to fall for Phish
Course Overview January 16, 2007.
Presentation transcript:

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie Mellon University

Everyday Security Problems Install this software?

Everyday Security Problems Setting File Permissions In 2003, one Senate Judiciary staffer found that files were readable to all users, rather than just to Democrats or Republicans See Reeder et al CHI 2008

Everyday Security Problems Many Laptops with Sensitive Data being Lost or Stolen

Costs of Unusable Privacy & Security High Spyware, viruses, worms Too many passwords!!! People not updating software with patches Firewalls, WiFi boxes, and other systems easily misconfigured Less potential adoption of ubicomp systems (e.g. location-based services)

Usable Privacy and Security “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Grand Challenges in Information Security & Assurance Computing Research Association (2003) More research needed on how “cultural and social influences can affect how people use computers and electronic information in ways that increase the risk of cybersecurity breaches.” - Grand Challenges for Engineering National Academy of Engineering (2008)

Everyday Privacy and Security Problem

This entire process known as phishing

Phishing is a Plague on the Internet Estimated $350m-$3b direct losses a year –Does not include damage to reputation, lost sales, etc –Does not include response costs (call centers, recovery) –Rapidly growing Spear-phishing and whaling attacks escalating –Steal sensitive corporate or military information

Phishing Becoming Pervasive Universities Online social networking sites (Facebook, MySpace) Social media (Twitter, World of Warcraft)

Project: Supporting Trust Decisions Goal: help people make better online trust decisions –Specifically in context of anti-phishing Large multi-disciplinary team project at CMU –Economics, computer science, public policy, human-computer interaction, social and decision sciences, machine learning, computer security

Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Automate where possible, support where necessary

Impact of Our Work Game teaching people about phish played 100k times, featured in over 20 media articles Study on browser warnings -> Internet Explorer 8 Our filter is labeling several million s per day Our evaluation of anti-phishing toolbars cited by several companies, presented to Anti-Phishing Working Group (APWG) PhishGuru embedded training undergone field trials at three companies, variant in use by large provider, and used in APWG’s takedown page

Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm What do users know about phishing? Why do they fall for phish?

Interview Study Interviewed 40 Internet users (35 non-experts) “Mental models” interviews included role play and open ended questions Brief overview of results (see papers for details) J. Downs et al. Decision Strategies and Susceptibility to Phishing. Symposium on Usable Privacy and Security J. Downs et al. Behavioral Response to Phishing Risk. eCrime 2007.

Little Knowledge of Phishing Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”

Little Attention Paid to URLs Only 55% of participants said they had ever noticed an unexpected or strange-looking URL Most did not consider them to be suspicious

Some Knowledge of Scams 55% of participants reported being cautious when asks for sensitive financial info –But very few reported being suspicious of asking for passwords Knowledge of financial phish reduced likelihood of falling for these scams –But did not transfer to other scams, such as an amazon.com password phish

Naive Evaluation Strategies The most frequent strategies don’t help much in identifying phish –This appears to be for me –It’s normal to hear from companies you do business with –Reputable companies will send s “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”

Summary of Findings People generally not good at identifying scams they haven’t specifically seen before People don’t use good strategies to protect themselves

Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists How to train people not to fall for phish?

PhishGuru Embedded Training A lot of training materials are boring and/or ignored Can we “train” people during their normal use of to avoid phishing attacks? –Periodically, people get sent a training by admins –Training looks same as a phishing attack –If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format

Everyday Privacy and Security Problem

Learning science principles Learning by Doing Immediate feedback Conceptual-Procedural Knowledge

Evaluation of PhishGuru Is embedded training effective? Yes! –Study 1: Lab study, 30 participants –Study 2: Lab study, 42 participants –Study 3: Field evaluation at company, ~300 participants –Study 4: Ongoing at CMU, ~500 participants Will highlight first two studies P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.

Intervention #1 – Diagram

Explains why they are seeing this message

Intervention #1 – Diagram Explains what a phishing scam is

Intervention #1 – Diagram Explains how to identify a phishing scam

Intervention #1 – Diagram Explains simple things you can do to protect self

Intervention #2 – Comic Strip

Embedded Training Evaluation #1 Lab study comparing our prototypes to standard security notices –Group A – Standard eBay, PayPal notices –Group B – Diagram that explains phishing –Group C – Comic strip that tells a story 10 participants in each condition (30 total) –Screened so we only have novices Go through 19 s, 4 phishing attacks scattered throughout, 2 training s too –Role play as Bobby Smith at Cognix Inc

Embedded Training Results

Existing practice of security notices not effective Diagram intervention somewhat better –Though people still fell for final phish Comic strip intervention worked best –Statistically significant –Combination of less text, graphics, story

Evaluation #2 New questions: –Have to fall for phishing to be effective? –How well do people retain knowledge? Roughly same experimental protocol as before –Role play as Bobby Smith at Cognix Inc, go thru 16 s Embedded condition means have to fall for our Non-embedded means we just send the comic strip Suspicion means got a warning about phish from friend Control means they got no warnings or training –Also had people come back after 1 week

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?

Discussion of PhishGuru Act of falling for phish is teachable moment –Just sending intervention not effective PhishGuru can teach people to identify phish better –People retain the knowledge well –People aren’t resentful, many happy to have learned 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future “I really liked the idea of sending CMU students fake phishing s and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”

APWG Landing Page CMU helped Anti-Phishing Working Group develop landing page for phishing sites taken down Also a new data source for us –How long people keep going to phishing sites, where from

Phishguru.org Our site to teach general public more about phishing

Anti-Phishing Phil A game to teach people not to fall for phish –Embedded training about , this game about web browser –Based on learning science Goals –How to parse URLs –Where to look for URLs –Use search engines for help Try the game! – S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

Anti-Phishing Phil

Evaluation of Anti-Phishing Phil Is Phil effective? Study 1: 56 people in lab study Study 1 protocol –Label 10 web sites as phish or legitimate –For 15 minutes (four conditions): Read printed materials on training Read printed copies of Phil’s tutorials Play Anti-Phishing Phil Check or play solitaire (control) –Label 10 more web sites

Anti-Phishing Phil: Study 1 No statistical difference in false negatives (calling phish legitimate) between first three conditions

Anti-Phishing Phil: Study 1 Our game has significantly fewer false positives (labeling legitimate site as phish)

Evaluation of Anti-Phishing Phil Study 2: 4517 participants in field trial –Randomly selected from people Conditions –Control: Label 12 sites then play game –Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) Participants –2021 people in game condition, 674 did retention portion

Anti-Phishing Phil: Study 2 Novices showed most improvement in false negatives (calling phish legitimate)

Anti-Phishing Phil: Study 2 Improvement all around for false positives

Discussion of Anti-Phishing Phil For false negatives, Phil at least as effective as existing training, but much more fun Much better in terms of false positive rate –Don’t want people to delete all mails from Citibank –Just telling people about phish tends to make them paranoid, without ability to differentiate

Outline Human side –Interviews to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm Do people see, understand, and believe web browser warnings?

Screenshots Internet Explorer – Passive Warning

Screenshots Internet Explorer – Active Block

Screenshots Mozilla FireFox – Active Block

How Effective are these Warnings? Tested four conditions –FireFox Active Block –IE Active Block –IE Passive Warning –Control (no warnings or blocks) “Shopping Study” –Setup some fake phishing pages and added to blacklists –We phished users after purchases (2 phish/user) –Real accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.

How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds

How Effective are these Warnings?

Discussion of Phish Warnings Nearly everyone will fall for highly contextual phish Passive IE warning failed for many reasons –Didn’t interrupt the main task –Slow to appear (up to 5 seconds) –Not clear what the right action was –Looked too much like other ignorable warnings (habituation) –Bug in implementation, any keystroke dismisses

Screenshots Internet Explorer – Passive Warning

Discussion of Phish Warnings Active IE warnings –Most saw but did not believe it “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” –Some element of habituation (looks like other warnings) –Saw two pathological cases

Screenshots Internet Explorer – Active Block

Internet Explorer 8 Re-design

A Science of Warnings See the warning? Understand? Believe it? Motivated? Refining this model for computer warnings

Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we automatically detect phish s?

PILFER Anti-Phishing Filter Goal: Create filter that detects phishing s –Spam filters well-explored, but how good for phishing? –Can we do better? Example heuristics combined in Random Forest –IP addresses in link ( –Age of linked-to domains (younger domains likely phishing) –Non-matching URLs (ex. most links point to PayPal) –“Click here to restore your account” I. Fette, N. Sadeh, A. Tomasic. Learning to Detect Phishing s. In W W W 2007.

PILFER Evaluation PILFER better at detecting phish, few false positives Implemented as a SpamAssassin plugin Large-scale field trial with underway –Millions of s per day –Currently evaluating effectiveness of filter

Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we improve phish detection of web sites?

Detecting Phishing Web Sites Industry uses blacklists to label phishing sites –But blacklists slow to new attacks Idea: Use search engines –Scammers often directly copy web pages –But fake pages should have low PageRank on search engines –Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.

Robust Hyperlinks Developed by Phelps and Wilensky to solve “404 not found” problem Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed –Ex. How to generate signature? –Found that TF-IDF was fairly effective Informal evaluation found five words was sufficient for most web pages

Fake eBay, user, sign, help, forgot

Real eBay, user, sign, help, forgot

Evaluating CANTINA PhishTank

Our Ongoing Work in Anti-Phishing Machine Learning of Blacklists –Given blacklists of URLs, can we apply content-based and URL-based approaches to accurately detect new phish? Blacklists can be thought of as labeled data –Early results show 87% true positive rate and 0.04% false positives, far better than any other heuristics Social Web + Machine Learning –PhishTank is a community site where people can submit and verify phish, five votes to verify –Can we use machine learning approaches to augment people’s votes? –Currently collecting data through Mechanical Turk

Summary Usable Privacy and Security –Grand challenge for computer science Whirlwind tour of our work on anti-phishing –Human side: effective training mechanisms –Computer side: better algorithms for detecting phish Lots more info at cups.cs.cmu.edu

Acknowledgments Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Norman Sadeh Anthony Tomasic Umut Topkara Supported by NSF, ARO, CyLab, Portugal Telecom Serge Egelman Ian Fette Ponnurangam Kumaraguru Bryant Magnien Elizabeth Nunge Yong Rhee Steve Sheng Yue Zhang

C MU U sable P rivacy and S ecurity Laboratory

Everyday Security Problems