1 / 33

Forcing Johnny to Login Safely

Forcing Johnny to Login Safely. Amir Herzberg and Ronen Margulies Bar Ilan University. Agenda. Introduction: phishing, current defenses & user studies Psychology: principles of effective defense mechanisms Long-term user study & results Usability issues. Some Phishing Numbers.

gyan
Download Presentation

Forcing Johnny to Login Safely

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forcing Johnny to Login Safely Amir Herzberg and Ronen Margulies Bar Ilan University

  2. Agenda • Introduction: phishing, current defenses & user studies • Psychology: principles of effective defense mechanisms • Long-term user study & results • Usability issues

  3. Some Phishing Numbers • Huge amount of attacks (antiphishing.org) • $3.2 billion lost in the US only in 2007 (Gartner) • Some recent cyber hacks • `spear phishing’ @ Lockheed Martin • DigiNotar – stolen SSL certificates of CIA, MI6, Mossad, Google, Facebook, Skype and Yahoo 3

  4. Current Defenses: Passive Indicators • Basic browser indicators • Name of site & CA (from certificate) • Warnings • User-custom text/image for site (e.g. Yahoo!’s sign-in seal)

  5. Previous Studies

  6. Goals, Method & Contribution • Goals: • Realistic evaluation of defense mechanisms • Find effective mechanisms, detection and prevention • Method: • Long-term experiment, real-purpose system  Awareness is not a problem • (More reliable) Results: • Highly effective new mechanisms, best results when combined • 82% detection rates • 93% overall resistance rates

  7. Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues

  8. Users Responses on the Web • Click-whirr response: mindless response to repeating situation[C08] • [KTW09]: click whirr responses allow phishing • Automatic submission of credentials • Automatic following of links: email, sites, homepage • Most logins are not harmful  It’s easier to just skip checking passive indicators • Especially since users’ primary goal isn’t security! • Solutions? • Forcing functions • Negative training functions

  9. Forcing Functions • Forcing function prevents users from progressing with their task until taking a certain action • Term from the human reliability field • [KTW09] suggested them for usable-security • Method: site obligates users to take safe actions during each login • With sufficient training, will become click whirr responses themselves • Examples of forcing functions login mechanisms: • Interactive custom indicators • Login bookmarks

  10. Interactive Custom Indicators • Force users to click them in order to login • Browser-side solution – Passpet [YS06] • Submits the password by clicking the custom pet image • Server-side solution – site hides the password textfield until the user clicks his custom image • Variation: several images on the login page

  11. Login Bookmarks • User must click on bookmark to login • Advantages: assures correct URL, SSL, prevention • Suggested by Adida [A07], not yet tested • Bookmark contains token, used as 1st authenticator • Without a valid token, site prevents the login • Password used as 2nd authenticator • Combining with interactive custom images • Token enables displaying the correct image • Provides “defense-in-depth”: prevention + detection • Provides 2x2 (two-factor and two-sided) authentication

  12. Bookmark+ Interactive Image Login Ceremony Alice Browser mysite.com types mysite.com/login.php GET /login.php You should login via your bookmark You should login via your bookmark clicks bookmark secret token login.php + custom image login.php + custom image clicks image enables password submission submits password password

  13. Forcing Functions aren’t Enough • How to defeat forcing functions? • Bypass them with dangerous actions • E.g.: follow a link to a spoofed login page instead of clicking the bookmark • Needs training against dangerous actions • Negative training functions: make users experience failure with dangerous actions • Two mechanisms: • “Non working” links in the site‘s email announcements • “Non working” account-entrance button in the site‘s home page

  14. Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues

  15. User Study • Online exercise submission system • ~400 computer science students • Used the system regularly for 3 semesters • Submitted exercises, received new grades emails • Dozens – hundreds logins per user • Each user was randomly assigned: • A login method: image only, bookmark only, bookmark+image, bookmark+4 images, none • An email method: no link, no link+warning, link

  16. Negative Training Functions • Bookmark & link users received “non-working” links • Error message at the site’s login page • Account-entrance button at the homepage • Worked for non-bookmark users • “Did not work” for bookmark users – same error message

  17. Simulated Attacks • All attacks invoked with low probabilities • Spoofed sites allowed login • Classic phishing attack • Malicious bookmark replacement • Spoofed home page attack • Pharming attack • (recent) browsers display an error page

  18. Study Results – Detection Rates • Significant differences, best results when combined • Interactive custom image is highly effective • more than twice the detection rates of non-imageusers

  19. Users’ Response to emails • Warnings don’t help • The login bookmark is only effective when combined with “non working" links

  20. Spoofed Home Page Attack Results • Lower detection rates than other attacks • Users might highly trust the home page of a familiar site • Prevention gets higher importance • Almost all bookmark users tried to enter the site's login page via its home page • All but two stoppedtrying after 5 attempts or less • login bookmark + “non working” account-entrance button = effective prevention

  21. Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues

  22. Usability Survey • 72% want to use login bookmarks for high-value sites, 51% for medium-value sites • Bookmark setup  not much of an objection • Good willingness rates for interactive custom images • 60% did not feel more protected, most did not understand the purpose of their mechanisms • Contradiction with the good results  Users don’t need deep understanding for the mechanisms’ training to be effective  Mechanisms are adequate for the general public  Similar results for the general-public (?)

  23. Conclusions • Long-term user study measuring the effectiveness of forcing and negative training functions mechanisms • Interactive custom images doubled the detection rates • Login bookmarks + non-working links doubled the prevention rates • Combining all mechanisms: best detection (82%) and overall resistance (93%) rates • Most users are willing to use the mechanisms, especially for high-value sites • The mechanisms work in-spite many users did not understand their purpose

  24. Thank you!

More Related