1 / 75

Usable Privacy and Security: Trust, Phishing, and Pervasive Computing

This paper focuses on the usability of privacy and security measures in addressing the problem of phishing attacks. It explores human-side and computer-side solutions, including interviews, embedded training, anti-phishing games, email filters, and toolbars.

dbrennan
Download Presentation

Usable Privacy and Security: Trust, Phishing, and Pervasive Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable Privacy and Security: Trust, Phishing, and Pervasive Computing Jason I. HongCarnegie Mellon University

  2. Everyday Privacy and Security Problem

  3. Everyday Privacy and Security Problem

  4. Usable Privacy and Security Important • People increasingly asked to make trust judgements • Consequences of wrong decision can be dramatic • New networked technologies leading to new risks • Friend Finder (“where is Alice?”) • Better awareness (“Daniel is at school”) Find Friends inTouch

  5. Grand Challenge “Give end-users security controls they can understandand privacy they can controlfor the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

  6. Usable Privacy and Security Work • Supporting Trust Decisions • Interviews to understand decision-making • Embedded training • User-Controllable Privacy and Security in Pervasive Computing • Contextual instant messaging • Person Finder • Access control to resources

  7. Project: Supporting Trust Decisions • Goal here is to help people make better decisions • Context here is anti-phishing • Large multi-disciplinary team project • Supported by NSF, ARO, CMU CyLab • Six faculty, five PhD students, undergrads, staff • Computer science, human-computer interaction, public policy, social and decision sciences, CERT

  8. Phishing • A semantic attack aimed directly at people rather than computers • “Please update your account” • “Fill out survey and get $25” • “Question about your auction” • Rapidly growing in scale and damage • Estimated 3.5 million phishing victims • ~7000 new phishing sites in Dec 2005 alone • ~$1-2 billion in damages • More profitable (and safer) to phish than rob a bank

  9. Supporting Trust Decisions Outline • Human-Side of Anti-Phishing • Interviews to understand decision-making • Embedded Training • Anti-Phishing Game • Computer-Side • Email Anti-Phishing Filter • Automated Testbed for Anti-Phishing Toolbars • Our Anti-Phishing Toolbar • Automate where possible, support where necessary

  10. What do users know about phishing?

  11. Interview Study • Interviewed 40 Internet users, included 35 non-experts • “Mental models” interviews included email role play and open ended questions • Interviews recorded and coded J. Downs, M. Holbrook, and L. Cranor. Decision Strategies and Susceptibility to Phishing. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

  12. Little Knowledge of Phishing • Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”

  13. Little Attention Paid to URLs • Only 55% of participants said they had ever noticed an unexpected or strange-looking URL • Most did not consider them to be suspicious

  14. Some Knowledge of Scams • 55% of participants reported being cautious when email asks for sensitive financial info • But very few reported being suspicious of email asking for passwords • Knowledge of financial phish reduced likelihood of falling for these scams • But did not transfer to other scams, such as amazon.com password phish

  15. Naive Evaluation Strategies • The most frequent strategies don’t help much in identifying phish • This email appears to be for me • It’s normal to hear from companies you do business with • Reputable companies will send emails “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”

  16. Other Findings • Web security pop-ups are confusing “Yeah, like the certificate has expired. I don’t actually know what that means.” • Minimal knowledge of lock icon • Don’t know what encryption means • Summary • People generally not good at identifying scams they haven’t specifically seen before • People don’t use good strategies to protect themselves

  17. Can we train people not to fall for phishing?

  18. Web Site Training Study • Laboratory study of 28 non-expert computer users • Two conditions, both asked to evaluate 20 web sites • Control group evaluated 10 web sites, took 15 minute break to read email or play solitaire, evaluated 10 more web sites • Experimental group same as above, but spent 15 minute break reading web-based training materials • Experimental group performed significantly better identifying phish after training • Less reliance on “professional-looking” designs • Looking at and understanding URLs • Web site asks for too much information People can learn from web-based training materials, if only we could get them to read them!

  19. How Do We Get People Trained? • Most people don’t proactively look for training materials on the web • Many companies send “security notice” emails to their employees and/or customers • But these tend to be ignored • Too much to read • People don’t consider them relevant • People think they already know how to protect themselves

  20. Embedded Training • Can we “train” people during their normal use of email to avoid phishing attacks? • Periodically, people get sent a training email • Training email looks like a phishing attack • If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format P. Kumaraguru, Y. Rhee, A. Acquisti, L. Cranor, J. Hong, and E. Nunge. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CyLab Technical Report. CMU-CyLab-06-017, 2006. http://www.cylab.cmu.edu/default.aspx?id=2253 [to be presented at CHI 2007]

  21. Diagram Intervention

  22. Diagram Intervention Explains why they are seeing this message

  23. Diagram Intervention Explains how to identify a phishing scam

  24. Diagram Intervention Explains what a phishing scam is

  25. Diagram Intervention Explains simple things you can do to protect self

  26. Comic Strip Intervention

  27. Embedded Training Evaluation • Lab study comparing our prototypes to standard security notices • EBay, PayPal notices • Diagram that explains phishing • Comic strip that tells a story • 10 participants in each condition (30 total) • Roughly, go through 19 emails, 4 phishing attacks scattered throughout, 2 training emails too • Emails are in context of working in an office

  28. Embedded Training Results • Existing practice of security notices is ineffective • Diagram intervention somewhat better • Comic strip intervention worked best • Statistically significant

  29. Next Steps • Iterate on intervention design • Have already created newer designs, ready for testing • Understand why comic strip worked better • Story? Comic format? • Preparing for larger scale deployment • Include more people • Evaluate retention over time • Deploy outside lab conditions if possible • Real world deployment and evaluation • Need corporate partners to let us spoof their brand

  30. Usable Privacy and Security Work • Supporting Trust Decisions • Interviews to understand decision-making • Embedded training • User-Controllable Privacy and Security in Pervasive Computing • Contextual instant messaging • Person Finder • Access control to resources

  31. The Problem • Mobile devices becoming integrated into everyday life • Mobile communication • Sharing location information with others • Remote access to home • Mobile e-commerce • Managing security and privacy policies is hard • Preferences hard to articulate • Policies hard to specify • Limited input and output • Leads to new sources of vulnerability and frustration

  32. Our Goal • Develop better UIs for managing privacy and security on mobile devices • Simple ways of specifying policies • Clear notifications and explanations of what happened • Better visualizations to summarize results • Machine learning for learning preferences • Start with small evaluations, continue with large-scale ones • Large multi-disciplinary team and project • Six faculty, 1.5 postdocs, six students • Roughly 1 year into project

  33. Usable Privacy and Security Work • Supporting Trust Decisions • Interviews to understand decision-making • Embedded training • User-Controllable Privacy and Security in Pervasive Computing • Contextual instant messaging • Person Finder • Access control to resources

  34. Contextual Instant Messaging • Facilitate coordination and communication by letting people request contextual information via IM • Interruptibility (via SUBTLE toolkit) • Location (via Place Lab wifi positioning) • Active window • Developed a custom client and robot on top of AIM • Client (Trillian plugin) captures and sends context to robot • People can query imbuddy411 robot for info • “howbusyis username” • Robot also contains privacy rules governing disclosure

  35. Contextual Instant MessagingPrivacy Mechanisms • Web-based specification of privacy preferences • Users can create groups andput screennames into groups • Users can specify what each group can see

  36. Contextual Instant MessagingPrivacy Mechanisms • Notifications of requests

  37. Contextual Instant MessagingPrivacy Mechanisms • Social translucency

  38. Contextual Instant MessagingPrivacy Mechanisms • Audit logs

  39. Contextual Instant MessagingEvaluation • Recruited ten people for two weeks • Selected people highly active in IM (ie undergrads ) • Each participant had ~90 buddies and 1300 incoming and outgoing messages per week • Notified other parties of imbuddy411 service • Update AIM profile to advertise • Would notify other parties at start of conversation

  40. Contextual Instant MessagingResults • Total of 242 requests for contextual information • 53 distinct screen names, 13 repeat users

  41. Contextual Instant MessagingResults • 43 privacy groups, ~4 per participant • Groups organized as class, major, clubs,gender, work, location, ethnicity, family • 6 groups revealed no information • 7 groups disclosed all information • Only two instances of changes to rules • In both cases, friend asked participant to increase level of disclosure

  42. Contextual Instant MessagingResults • Likert scale survey at end • 1 is strongly disagree, 5 is strongly agree • All participants agreed contextual information sensitive • Interruptibility 3.6, location 4.1, window 4.9 • Participants were comfortable using our controls (4.1) • Easy to understand (4.4) and modify (4.2) • Good sense of who had seen what (3.9) • Participants also suggested improvements • Notification of offline requests • Better notifications to reduce interruptions (abnormal use) • Better summaries (“User x asked for location 5 times today”)

  43. Contextual Instant MessagingCurrent Status • Preparing for another round of deployment • Larger group of people • A few more kinds of contextual information • Developing privacy controls that scale better • More people, more kinds of information

  44. Usable Privacy and Security Work • Supporting Trust Decisions • Interviews to understand decision-making • Embedded training • User-Controllable Privacy and Security in Pervasive Computing • Contextual instant messaging • Person Finder • Access control to resources

  45. People Finder • Location useful for micro-coordination • Meeting up • Okayness checking • Developed phone-based client • GSM localization (Intel) • Conducted studies to see how people specify rules (& how well) • See how well machine learning can learn preferences

  46. People FinderMachine Learning • Using case-based reasoning (CBR) • “My colleagues can only see my location on weekdays and only between 8am and 6pm” • It’s now 6:15pm, so the CBR might allow, or interactively ask • Chose CBR over other machine learning • Better dialogs with users (ie more understandable) • Can be done interactively (rather than accumulating large corpus and doing post-hoc)

  47. People FinderStudy on Preferences and Rules • How well people could specify rules, and if machine learning could do better • 13 participants (+1 for pilot study) • Specify rules at beginning of study • Presented a series of thirty scenarios • Shown what their rules would do, asked if correct and utility • Given option to change rule if desired

  48. People FinderStudy on Rules

  49. People FinderResults – User Burden

  50. People FinderResults – Accuracy

More Related