330 likes | 438 Views
Forcing Johnny to Login Safely. Amir Herzberg and Ronen Margulies Bar Ilan University. Agenda. Introduction: phishing, current defenses & user studies Psychology: principles of effective defense mechanisms Long-term user study & results Usability issues. Some Phishing Numbers.
E N D
Forcing Johnny to Login Safely Amir Herzberg and Ronen Margulies Bar Ilan University
Agenda • Introduction: phishing, current defenses & user studies • Psychology: principles of effective defense mechanisms • Long-term user study & results • Usability issues
Some Phishing Numbers • Huge amount of attacks (antiphishing.org) • $3.2 billion lost in the US only in 2007 (Gartner) • Some recent cyber hacks • `spear phishing’ @ Lockheed Martin • DigiNotar – stolen SSL certificates of CIA, MI6, Mossad, Google, Facebook, Skype and Yahoo 3
Current Defenses: Passive Indicators • Basic browser indicators • Name of site & CA (from certificate) • Warnings • User-custom text/image for site (e.g. Yahoo!’s sign-in seal)
Goals, Method & Contribution • Goals: • Realistic evaluation of defense mechanisms • Find effective mechanisms, detection and prevention • Method: • Long-term experiment, real-purpose system Awareness is not a problem • (More reliable) Results: • Highly effective new mechanisms, best results when combined • 82% detection rates • 93% overall resistance rates
Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues
Users Responses on the Web • Click-whirr response: mindless response to repeating situation[C08] • [KTW09]: click whirr responses allow phishing • Automatic submission of credentials • Automatic following of links: email, sites, homepage • Most logins are not harmful It’s easier to just skip checking passive indicators • Especially since users’ primary goal isn’t security! • Solutions? • Forcing functions • Negative training functions
Forcing Functions • Forcing function prevents users from progressing with their task until taking a certain action • Term from the human reliability field • [KTW09] suggested them for usable-security • Method: site obligates users to take safe actions during each login • With sufficient training, will become click whirr responses themselves • Examples of forcing functions login mechanisms: • Interactive custom indicators • Login bookmarks
Interactive Custom Indicators • Force users to click them in order to login • Browser-side solution – Passpet [YS06] • Submits the password by clicking the custom pet image • Server-side solution – site hides the password textfield until the user clicks his custom image • Variation: several images on the login page
Login Bookmarks • User must click on bookmark to login • Advantages: assures correct URL, SSL, prevention • Suggested by Adida [A07], not yet tested • Bookmark contains token, used as 1st authenticator • Without a valid token, site prevents the login • Password used as 2nd authenticator • Combining with interactive custom images • Token enables displaying the correct image • Provides “defense-in-depth”: prevention + detection • Provides 2x2 (two-factor and two-sided) authentication
Bookmark+ Interactive Image Login Ceremony Alice Browser mysite.com types mysite.com/login.php GET /login.php You should login via your bookmark You should login via your bookmark clicks bookmark secret token login.php + custom image login.php + custom image clicks image enables password submission submits password password
Forcing Functions aren’t Enough • How to defeat forcing functions? • Bypass them with dangerous actions • E.g.: follow a link to a spoofed login page instead of clicking the bookmark • Needs training against dangerous actions • Negative training functions: make users experience failure with dangerous actions • Two mechanisms: • “Non working” links in the site‘s email announcements • “Non working” account-entrance button in the site‘s home page
Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues
User Study • Online exercise submission system • ~400 computer science students • Used the system regularly for 3 semesters • Submitted exercises, received new grades emails • Dozens – hundreds logins per user • Each user was randomly assigned: • A login method: image only, bookmark only, bookmark+image, bookmark+4 images, none • An email method: no link, no link+warning, link
Negative Training Functions • Bookmark & link users received “non-working” links • Error message at the site’s login page • Account-entrance button at the homepage • Worked for non-bookmark users • “Did not work” for bookmark users – same error message
Simulated Attacks • All attacks invoked with low probabilities • Spoofed sites allowed login • Classic phishing attack • Malicious bookmark replacement • Spoofed home page attack • Pharming attack • (recent) browsers display an error page
Study Results – Detection Rates • Significant differences, best results when combined • Interactive custom image is highly effective • more than twice the detection rates of non-imageusers
Users’ Response to emails • Warnings don’t help • The login bookmark is only effective when combined with “non working" links
Spoofed Home Page Attack Results • Lower detection rates than other attacks • Users might highly trust the home page of a familiar site • Prevention gets higher importance • Almost all bookmark users tried to enter the site's login page via its home page • All but two stoppedtrying after 5 attempts or less • login bookmark + “non working” account-entrance button = effective prevention
Agenda • Introduction: phishing, current defenses & studies • Psychology: principles of effective mechanisms • Long-term user study & results • Usability issues
Usability Survey • 72% want to use login bookmarks for high-value sites, 51% for medium-value sites • Bookmark setup not much of an objection • Good willingness rates for interactive custom images • 60% did not feel more protected, most did not understand the purpose of their mechanisms • Contradiction with the good results Users don’t need deep understanding for the mechanisms’ training to be effective Mechanisms are adequate for the general public Similar results for the general-public (?)
Conclusions • Long-term user study measuring the effectiveness of forcing and negative training functions mechanisms • Interactive custom images doubled the detection rates • Login bookmarks + non-working links doubled the prevention rates • Combining all mechanisms: best detection (82%) and overall resistance (93%) rates • Most users are willing to use the mechanisms, especially for high-value sites • The mechanisms work in-spite many users did not understand their purpose