1 / 16

Web Wallet Preventing Phishing Attacks by Revealing User Intentions

10/20/2009 Loomi Liao. Web Wallet Preventing Phishing Attacks by Revealing User Intentions. Agenda. The problems Some anti-phishing solutions The Web Wallet solutions The Web Wallet User Interface User study Discussion. Phishing Attacks.

howard
Download Presentation

Web Wallet Preventing Phishing Attacks by Revealing User Intentions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 10/20/2009 Loomi Liao Web Wallet Preventing Phishing Attacks by Revealing User Intentions

  2. Agenda • The problems • Some anti-phishing solutions • The Web Wallet solutions • The Web Wallet User Interface • User study • Discussion

  3. Phishing Attacks • A semantic attack: it exploits the gap between user’s intentions and the system’s operation.

  4. What makes phishing attacks hard to prevent? • A site’s appearance does not reliably reflect the site’s true identity. • Browser fails to give appropriate protection to the sensitive data submission.

  5. Why many proposed anti-phishing solutions are ineffective? • Locations of warning indicators • Peripheral area or centrally displayed web page • Not user’s primary goal • Sloppy but common web practices • Use IP addresses instead of hostnames • Use a domain name that is different from their brand names • Use non-SSL protected login pages • No good alternatives suggested

  6. Some Anti-Phishing Solutions • Stop phishing at the email level • Use security toolbars • Visually differentiate the phishing sites from the spoofed legitimate sites • Two-factor authentication

  7. Design Principles of the Web Wallet • Get the User's Intention • what is the data? • where will it go? • Integrate Security into the Workflow • Disable the web form fields so that the user is forced to activate Web Wallet • Make itself the only affordance for input • Makes user explicitly acknowledge and indicate their intended site

  8. Web Site Trust Analysis • SSL certificate • Trusted third-party certificates • Site popularity • Site registration information • Site category information

  9. Web Wallet • Form Annotation • Security Key • Browser Sidebar • Confirmation • Interface • Negative Visual • Feedback Flying icon Zooming character

  10. Five Simulated Phishing Attacks • Normal Phishing Attack • Undetected-form Attack • Online-keyboard Attack • Fake-wallet Attack • Fake-suggestion Attack

  11. User Study on Web Wallet Spoof rates with and without the Web Wallet protection Spoof rates of the five attacks in the Web Wallet test

  12. User Study on Web Wallet

  13. How well does the Web Wallet work? Negative visual feedback fails

  14. Discussion • Can users trust Web Wallet? • Spoofed Web Wallet • Fail to give correct suggestions • Can security task integrate into the workflow? • Forcing users to use it by disabling the sensitive input field • Asking users to select their intended site

  15. Reference • M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.

  16. Questions?

More Related