Presentation is loading. Please wait.

Presentation is loading. Please wait.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

Published byTheodore Newton Modified over 9 years ago

Similar presentations

Presentation on theme: "1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web."— Presentation transcript:

1 1

2  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web sites as fraudulent or legitimate using browser indicators.  Picture-in-picture attacks as effective as the homograph attack.  Extended validation did not help users identify either attack.  Reading help file makes real & fake websites seem legitimate when no phishing warning appears. 2 pgup014

3  What are Phishing Attacks?  Email + Victim + Deceptive website login = Stolen info  Picture-in-Picture attack  Homograph attack www.bankofthewest.com vs. www.bankofthevvest.com 3 pgup014

4  Commercially available Security toolbars  HTTPS encryption (HTTP + SSL/TLS encryption)  Normal certificates – only indicates owner controls a domain name.  Extended validation certificates – also attest to the identity of a legitimate business 4 pgup014

5  Familiarized users with 2 real websites. Classify random sequence of 12 websites as real or fake.  Divided 27 users into 3 groups:  Trained - about Extended Validation certificates & read IE 7 help file about address bar  Untrained – just shown Extended Validation certificates but no training  Controlled – Not shown extended validation certificates  Measured effect of:  extended validation certificates only at legitimate sites and  Reading a help file about security features in IE 7. 5 pgup014

6 6

7  Untrained extended validation group performed similarly to the control group on all tasks  Across all groups: picture-in-picture attacks were as effective as the homograph attack.  Extended validation did not help users identify either attack  When NO phishing warnings appear - trained participants more likely to classify both real AND fake web sites as legitimate. 7 pgup014

8  They say “extended validation could becomemore effective over time as it is adopted by more financial web sites and public awareness grows.“  Although at the time of study (September 2006) they did not observe that it had a significant effect on user behaviour.  No point stated on HOW extended validation could be a potential.  Instead stated wide spread use of extended validation is vulnerable to imitate its trust indicator. 8 pgup014

9  Authors mentioned “participants were invited to participate in a study involving “usability of online banking,” but were not told ahead of time that the study involved security.”  Many real attacks exploit psychology as much as technology.  I believe results were not affected by such factors:  Paranoia from participants.  External learning about online security. 9 pgup014

10  Is it advancement of a security mechanism OR  Users perception of a security mechanism over time that proves that given security mechanism is effective?  Thanks! 10 pgup014

Download ppt "1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web."

Similar presentations

Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
1. The VeriSign brand2. Extended Validation SSL www.secure128.com.

1. The VeriSign brand2. Extended Validation SSL
How It Applies In A Virtual World

How It Applies In A Virtual World
Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.

Alpha Five User Group, Bill Parker, SSL Security and WAS, July 2007 SSL Security with Alpha Five App Server Protecting sensitive or personal data.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA EMAIL LINKS 2.NEVER REVEAL YOUR PIN.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
Phishing Rising to the challenge Amy Marasco Microsoft.

Phishing Rising to the challenge Amy Marasco Microsoft.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Similar presentations

Ads by Google