Presentation is loading. Please wait.

Presentation is loading. Please wait.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Published byCordelia Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security."— Presentation transcript:

1 KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security (SOUPS 2006) Lee Hyung Kyu 2008. 10. 28

2 2 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Contents Introduction Related Work Web Wallet Design Principles User Interface Evaluation Conclusion Discussion

3 Introduction (1/3) Phishing Steal consumers’ personal identity data and financial account credentials [APWG] Social engineering & Technical subterfuge Growing Phishing [APWG, Dec. 2005] 15244 unique phishing attacks 7197 unique phishing sites 121 legitimate brands being hijacked cf. [APWG, Dec. 2007] 25683 unique phishing attacks 25328 unique phishing sites 144 legitimate brands being hijacked 3 / 21 White-List Approach with Anti-Phishing Web Crawler

4 Introduction (2/3) Problems Appearance Users tend to decide site identity Opaque Data To Web Browser Sensitive or not? Security Indicator Located in a Peripheral area 4 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

5 Introduction (3/3) Problems Security is rarely a user’s primary goal! Users focus on their current task Sloppy but Common web practices IP addresses instead of hostnames Domain names that are totally different from their brand names Unprotected login pages Do not suggest good Alternatives Simple warnings 5 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

6 Related Work (1/2) Dynamic Security Skins [R. Dhamija et al., “The Battle Against Phishing: Dynamic Security Skins”(SOUPS’05)] Visual Difference Use a randomly generated visual hash 6 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Limitations Burden on users To notice the visual difference

7 Related Work (2/2) SpoofGuard [N. Chou et al., “Client-side defense against web- based identity theft”(NDSS’04)] Heuristics Calculate Spoof Index with several features Warn users when a certain page has a high probability of being a spoof 7 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Limitations High False Positive Rate Many Unnecessary Warnings – can be ignored by users

8 Web Wallet : Design Principles (1/2) Get the User’s Intention The User Interface Bridge the gap between the user’s mental model and the system model(browser) Help the users transfer their real intention to the browser Submitting Data Data type Sensitive or Not? Data recipient Which site? Dedicated Interface for sensitive information submission Check to see if the current site is good enough 8 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

9 Web Wallet : Design Principles (2/2) Integrate Security into the Workflow Disable the sensitive input fields in the web forms Make itself the only way to input sensitive data Not depend on users remembering to use it Incorporate security questions by helping users achieve their goals instead of stopping them Not use a generic warning “Are you sure?” Show a user a list of sites and choose 9 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

10 Web Wallet : User Interface (1/5) Form Annotation Use Naïve Bayesian classifier and Hidden Markov Model Search the login forms Disable them Provide Login Card Security Key Press F2 Key Browse the site simply Become habitual 10 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

11 Web Wallet : User Interface (2/5) Browser Sidebar Card Presentation Card Folder Encrypted by master password Stored Card If it matches Web page Request, 11 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

12 Web Wallet : User Interface (3/5) Browser Sidebar New Login Card If it doesn’t match Web Page Request, Show Domain Name & Site Description “Save Card” checkbox 12 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

13 Web Wallet : User Interface (4/5) Confirmation Interface Untrusted & Not login before 13 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

14 Web Wallet : User Interface (5/5) Negative Visual Feedback Prevent from Fake Web Wallet Attack Differentiate the Web interface from the Local interface 14 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

15 Evaluation (1/4) Simulated Attacks Normal attack Undetected-form attack Fail to detect Login form Negative Visual Feedback Online-keyboard attack Bypass the Zooming character Flying Icon Fake-wallet attack Displayed by web site Negative Visual Feedback Fake-suggestion attack Choose the Phishing site from the list 15 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

16 Evaluation (2/4) User study 21 Subjects (14 / 7) Role as John Smith’s Assistant Spoof rate The fraction of simulated attacks that successfully obtain his information 16 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

17 Evaluation (3/4) First Interface Problems Not include the current site Type directly in the web form despite warnings 17 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

18 Evaluation (4/4) Modified Interface Improvements Add the current site to the site list Always display a login card 18 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

19 19 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Conclusion Web Wallet Provide Dedicated Interface for Sensitive Information Spoof rate of Normal attacks from 63% to 7% Make itself an integrated part of the user’s workflow The warning from the Web Wallet is no longer a weak signal Encourages the user to choose her intended site using the Site List

20 20 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Discussion Pros. Improve the Existing Anti-phishing Tool Lower Spoof rate Eliminate Unnecessary Warning Lower the burden on Users Trial and Error Cons. Undetected-form attack & Fake-wallet attack Negative Visual Feedback is Ineffective Image Recognition Press F2 key What kind of attacks are there in 7%?

21 21 / 21 Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Q & A

Download ppt "KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security."

Similar presentations

PhishZoo: Detecting Phishing Websites By Looking at Them

PhishZoo: Detecting Phishing Websites By Looking at Them
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support 301-594-6248 Summer 2006.

How to Get The Most Out of Outlook 2003 Michele Schwartzman Division of Customer Support Summer 2006.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Similar presentations

Ads by Google