C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training.

Slides:



Advertisements
Similar presentations
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
Advertisements

All Your Contacts Are Belong to Us: Automated Identity Theft Attacks on Social Networks Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2010/12/06 1.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Social media threats. Warning! May contain mild peril.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
1 What is Phishing? …listening to music by the band called Phish or perhaps …a hobby, sport or recreation involving the ocean, rivers or streams…nope.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)
Internet Phishing Not the kind of Fishing you are used to.
Malicious Attacks By Chris Berg-Jones, Ethan Ungchusri, and Angela Wang.
CyLab Usable Privacy and Security Laboratory 1 C yLab U sable P rivacy and S ecurity Laboratory Introduction.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
C MU U sable P rivacy and S ecurity Laboratory 1 Privacy Policy, Law and Technology Search Engines and Social Networks October.
October is National Cyber Security Month OIT and IT providers are launching an awareness campaign to provide tips and resources to help you stay safe online.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.
Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory Power Strips, Prophylactics, and Privacy, Oh My! Julia Gideon, Serge Egelman, Lorrie.
Usable Privacy and Security Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 Course Overview January 16, 2007.
Verma - ICISS 2014 R easoning M ining NLP Defense Rakesh M. Verma ReMiND Laboratory Catching Classical and Hijack-based Phishing Attacks.
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen
INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.
Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Security Smackdown: End-User Awareness Programs vs. Technology Solutions Justin Klein Keane Christine Brisson University of Pennsylvania School of Arts.
Visual-Similarity-Based Phishing Detection Eric Medvet, Engin Kirda, Christopher Kruegel SecureComm 2008 Sep.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Reliability & Desirability of Data
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
P RIVACY I N SOCIAL NETWORKING SITES Presented by Shikha Saini u
11 CANTINA: A Content- Based Approach to Detecting Phishing Web Sites Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/6/7.
Anti-Phishing Approaches Lifeng Hu
11th WATCH: Security, Privacy, and Usability: Better Together Lorrie Cranor Computer Science & Engineering Science Policy Carnegie Mellon University THURSDAY.
11 A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval Reporter: 林佳宜 /10/17.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
C MU U sable P rivacy and S ecurity Laboratory User Interfaces and Algorithms for Fighting Phishing Steve Sheng Doctoral Candidate,
CCT355H5 F Presentation: Phishing November Jennifer Li.
Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.
BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.
Phishing: Trends and Countermeasures Blaine Wilson.
How Phishing Works Prof. Vipul Chudasama.
Inappropriate Content Hackers Phishers Scammers Child Abusers Bullies.
Usable Privacy and Security and Mobile Social Services Jason Hong
C MU U sable P rivacy and S ecurity Laboratory Trust and Semantic attacks Ponnurangam Kumaraguru (PK) Usable, Privacy, and Security.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Usable Privacy and Security.
1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.
Extra Credit Presentation: Allegra Earl CSCI 101 T 3:30.
BY CONOR DALY Public Trust Online. What is E-commerce? The buying and selling of products and services by businesses and consumers through an electronic.
Important Information Provided by Information Technology Center
Done by… Hanoof Al-Khaldi Information Assurance
ISYM 540 Current Topics in Information System Management
Phishing, what you should know
Protect Your Computer Against Harmful Attacks!
CSCD 303 Essential Computer Security Fall 2017
Ethics Tutorial Assignment#2
Teaching you NOT to fall for Phish
Course Overview January 16, 2007.
Presentation transcript:

C MU U sable P rivacy and S ecurity Laboratory Protecting People from Phishing: The Design and Evaluation of an Embedded Training System P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, E. Nunge

Phishing

Subject: eBay: Urgent Notification From Billing Department

Phishing We regret to inform you that you eBay account could be suspended if you don’t update your account information.

Phishing fy&co_partnerid=2&sidteid=0

Phishing website

C MU U sable P rivacy and S ecurity Laboratory 7 What is phishing? Phishing is “a broadly launched social engineering attack in which an electronic identity is misrepresented in an attempt to trick individuals into revealing personal credentials that can be used fraudulently against them.” Financial Services Technology Consortium. Understanding and countering the phishing threat: A financial service industry perspective

C MU U sable P rivacy and S ecurity Laboratory 8 Phishing is growing 73 million US adults received more than 50 phishing s a year in 2005 Gartner found approx. 30% users changed online banking behavior because of attacks like phishing in 2006 Gartner predicted $2.8 billion loss in 2006

C MU U sable P rivacy and S ecurity Laboratory 9 Why phishing is a hard problem? Semantic attacks take advantage of the way humans interact with computers Phishing is one type of semantic attack Phishers make use of the trust that users have on legitimate organizations

C MU U sable P rivacy and S ecurity Laboratory 10 Counter measures for phishing Silently eliminating the threat Regulatory & policy solutions filtering (SpamAssasin) Warning users about the threat Toolbars (SpoofGuard, TrustBar) Training users not to fall for attacks

C MU U sable P rivacy and S ecurity Laboratory 11 Why user education is hard? Security is a secondary task (Whitten et al.) Users are not motivated to read privacy policies (Anton et al.) Reading existing online training materials creates concern among users (Anandpara et al.)

C MU U sable P rivacy and S ecurity Laboratory 12 Our hypotheses Security notices are an ineffective medium for training users Users make better decision when trained by embedded methodology compared to security notices

C MU U sable P rivacy and S ecurity Laboratory 13 Design constraints People don’t proactively read the training materials on the web Organizations send “security notices” to train users and people don’t read security notices People can learn from web-based training materials, if only we could get people to read them! (Kumaraguru, 2006) P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. Tech. rep., Cranegie Mellon University,

C MU U sable P rivacy and S ecurity Laboratory 14 Embedded training We know people fall for phishing s So make training available through the phishing s Training materials are presented when the users actually fall for phishing s

Embedded training example Subject: Revision to Your Amazon.com Information

Embedded training example Subject: Revision to Your Amazon.com Information Please login and enter your information

Comic strip intervention

C MU U sable P rivacy and S ecurity Laboratory 18 Design rationale What to show in the intervention? When to show the intervention? Analyzed instructions from most popular websites Paper and HTML prototypes, 7 users each Lessons learned Two designs Present the training materials when users click on the link

Comic strip intervention

Intervention #1 - Comic strip

Intervention #2 - Graphics and text

C MU U sable P rivacy and S ecurity Laboratory 24 Study design Think aloud study Role play as Bobby Smith, 19 s including 2 interventions, and 4 phishing s Three conditions: security notices, text / graphics intervention, comic strip intervention 10 non-expert participants in each condition, 30 total

Intervention #1 - Security notices

C MU U sable P rivacy and S ecurity Laboratory 26 Intervention #2 - Graphics and text

Intervention #3 - Comic strip

PhishTraining Legitimate Spam

C MU U sable P rivacy and S ecurity Laboratory 29 User study - results We treated clicking on link to be falling for phishing 93% of the users who clicked went ahead and gave personal information

C MU U sable P rivacy and S ecurity Laboratory 30 User study - results

C MU U sable P rivacy and S ecurity Laboratory 31 User study - results Significant difference between security notices and the comic strip group (p-value < 0.05) Significant difference between the comic and the text / graphics group (p-value < 0.05)

C MU U sable P rivacy and S ecurity Laboratory 32 Conclusion H1: Security notices are an ineffective medium for training users Supported H2: Users make better decision when trained by embedded methodology compared to security notices Supported

Latest comic strip design

C MU U sable P rivacy and S ecurity Laboratory 34 Ongoing work Measuring knowledge retention and knowledge transfer Knowledge retention is the ability to apply the knowledge gained from one situation to another same or similar situation after a time period Knowledge transfer is the ability to transfer the knowledge gained from one situation to another situation after a time period Is falling for phishing necessary for training?

C MU U sable P rivacy and S ecurity Laboratory 35 Coming up WWW 2007 CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Learning to Detect Phishing s Our other research in anti-phishing Symposium On Usable Privacy and Security (SOUPS), July , 2007 at Carnegie Mellon University

C MU U sable P rivacy and S ecurity Laboratory 36 Acknowledgements Members of Supporting Trust Decision research group Members of CUPS lab

C MU U sable P rivacy and S ecurity Laboratory

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.