Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.

Published byKelley Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley."— Presentation transcript:

1 The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley

2 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

3 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

4 Limited Human Skills Property Limited password recall Hard to parse domain names

5 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 1.Security is often the secondary goal 3. General purpose graphics property 4. Golden arches property 5. Barn door property

6 Users Don’t Check Certificates

7 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

8 Firefox Browser: 4 SSL indicators

9 Firefox browser - No unsecure indicators

10 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 1.Train users not to automatically trust a logo or brand 5. Barn door property

11 The golden arches property

12 Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

13 Strong Password Protocols Stanford Web PwdHash Password Authenticated Key Agreement –EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc… H(password, siteID)Password Protocol Password

14 Password Authenticated Key Agreement Advantages: –preserve familiar use of passwords user doesn’t need a trusted device secret stored in memory of the user –server doesn’t store password –no passwords sent over the network –user authentication (& mutual authentication) But how to enter the password?

15 Our Solution: Usability Goals User must be able to verify password prompt, before entering password Rely on human skills –To login, recognize 1 image & recall 1 password –To verify server, compare 2 images Hard to spoof security indicators

16 Trusted Password Window Dedicated window Trusted path  customization Random photo assigned or chosen Image stored in browser, do not have to go through server Image overlaid across window User recognizes image first –then enters password Password not sent to server

17 Security Indicators How can user distinguish secure windows? –Static indicators (SSL) Can be spoofed User do not really examine it –User customized indicators (Passmark/Petnames) Require extra efforts from the user –Automated customized indicators

18 Our Solution: Dynamic Security Skins  Automatically customize secure windows  Visual hashes – Random Art - visual hash algorithm – Generate unique abstract image for each authentication – Use the image to “skin” windows or web content – Browser generated or server generated

19 Browser Generated Images  Browser chooses random number and generates image  Can be used to modify border or web elements

20 Server Generated Images  Server & browser independently generate same image  Server can customize its own page

21 Conclusions Benefits: –Achieves mutual authentication –Resistant to phishing and spoofing –Relies on human skills Weaknesses: –Users must check images easier than checking a cert –Local storage of personal image reduces portability, requires security –Doesn’t address spyware, keyloggers

22 Status and Future Work Iterative design & “lo-fi” testing of interface Formal user study DSS Mozilla extension

23

24 Customized Indicators: Petname Toolbar

25 Automated Indicators: Secure Random Dynamic Boundaries

Download ppt "The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.

Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
1 Cypak core technology A new, cool and convenient way to identify your customers Combat fraud and keep your customer happy.

1 Cypak core technology A new, cool and convenient way to identify your customers Combat fraud and keep your customer happy.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Ho Ting Chung, Zeturl (52246962) 1.  Authentication  Encryption 2.

Ho Ting Chung, Zeturl ( ) 1.  Authentication  Encryption 2.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Similar presentations

Ads by Google