340 likes | 358 Views
Web Wallet Preventing Phishing Attacks by Revealing User Intentions. Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint work with Simson Garfinkel, Greg Little. Do Security Indicators Work?. ?. Security Indicators Don’t Work. Users don ’ t know what to trust
E N D
Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint work with Simson Garfinkel, Greg Little TIPPI2
Do Security Indicators Work? ? TIPPI2
Security Indicators Don’t Work • Users don’t know what to trust • Web page often looks more credible than indicator • Security is a secondary task • Users don’t have to pay attention to the indicators, so they don’t • Indicators aren’t reliable • Sloppy but common web practices make them inaccurate • Current indicators only say “don’t go there” • So where should I go instead? TIPPI2
Our Approach: Web Wallet TIPPI2
Outline • Security toolbar study [CHI ’06] • Web Wallet [SOUPS ’06] • Demo • Design principles • User study • Related work TIPPI2
eBay’s Account Guard System-decision Toolbar SpoofGuard SSL-verification Toolbar TrustBar Three Kinds of Toolbar Information SpoofStick Neutral-information Toolbar Netcraft Toolbar TIPPI2
Study Design • Study should reflect the “secondary goal property” of security • In real life, security is rarely a user’s primary goal • Users must be given tasks other than security • “In this study, you are the personal assistant for John Smith. Here are 20 forwarded emails from him.” • Tasks involve security decisions • John’s emails ask the user to manage his wish lists at various e-commerce sites, which require logging in to the sites TIPPI2
Phishing Attacks in the Study • 5 of the 20 emails are attacks, e.g.: Similar name attack IP address attack Hijacked-server attack Bestbuy.com www.bestbuy.com.ww2.us Bestbuy.com 212.85.153.6 Bestbuy.com www.btinternet.com TIPPI2
Results Neutral information SSL verification System decision TIPPI2
Why Were Users Fooled? • Users explain away indicators of attacks • www.ssl-yahoo.com: • “a subdirectory of Yahoo, like mail.yahoo.com” • sign.travelocity.com.zaga-zaga.us: • “must be an outsourcing site [for travelocity.com].” • www.btinternet.com (phishing for buy.com): • “sometimes I go to a website and the site directs me to another address which is different from the one I have typed.” • 200.114.156.78: • “I have been to sites that used IP addresses.” • Potential fraudulent site: • “it is triggered because the web content is ‘informal’, just like my spam filter says ‘this email is probably a spam.’” • New Site [BR]: • “Yahoo must have a branch in Brazil.” TIPPI2
Why Were Users Fooled? • Users had the wrong security model • “The site is authentic because it has a privacy policy, VeriSign seal, contact information, and the submit button says ‘sign in using our secure server’.” • “If a site works well with all its links, then the site is authentic. I cannot imagine that an attacker will mirror a whole site.” • Security was not the primary goal • “I noticed the warning. But I had to take the risk to get the task done.” • “I did look at the toolbar but did not notice the warning under this attack.” TIPPI2
Why Do Security Indicators Fail? • Attack is more credible than indicator • Web page has richer cues than browser toolbar • Security is a separate, secondary task • Primary task wins • Separate security task is ignored • Sloppy but common web practices allow the user to rationalize the attack • Users do not know how to correctly interpret the toolbar display • Advising the user not to proceed is not the right approach • We need to provide a safe path TIPPI2
Our Approach: Web Wallet • Redesign browser UI so that the user’s intention is clear • “Log in to bestbuy.com” • “Submit my credit card to amazon.com” • Block the action if the user’s intention disagrees with its actual effect • But offer a safe path to the user’s goal • Integrate security decisions into the user’s workflow • So they can’t be ignored TIPPI2
Web Wallet DEMO TIPPI2
Web Wallet Design Principles • Determine the user’s intention • Respect that intention TIPPI2
Design Principles • Integrate security UI into the user’s workflow • Improve usability as well as security TIPPI2
Design Principles • Use comparisons to put information in context • Ask user to choose, not just “are you sure?” TIPPI2
Web Wallet User Study • Same scenario as the toolbar study • No tutorial • 30 users • Internet Explorer alone (10 users) • Web Wallet (20 users) • 5 phishing attacks • IE group saw only similar-name attacks, e.g.: • Web Wallet group saw Wallet-specific attacks bestbuy.com www.bestbuy.com.ww2.us TIPPI2
Attacks Against the Web Wallet 2. Undetected-form attack 1. Normal attack 3. Onscreen-keyboard attack TIPPI2
Attacks Against the Web Wallet 4. Fake-wallet attack TIPPI2
Attacks Against the Web Wallet 5. Fake-suggestion attack TIPPI2
Results TIPPI2
Which Features Helped? • Site description stopped 14 attacks (out of the 22 attacks where it was seen) • Choosing interface stopped 14 (out of 14 attacks where seen) TIPPI2
Spoof Rate by Attack Type TIPPI2
Fake-Wallet Attack • Web Wallet utterly failed to prevent the fake-wallet attack (spoof rate 64%) • Users had the wrong mental model for the security key • Spoofing is still a problem, since the Web Wallet itself can be spoofed • Dynamic skin • Personalized image • Active observer? Press F2 before you do any sensitive data submission Press F2 to open the Web Wallet TIPPI2
Related Work • Dynamic security skins (Dhamija & Tygar) • Microsoft InfoCard (Cameron et al) • PwdHash (Ross et al) • Password Multiplier (Halderman et al) • GeoTrust TrustWatch TIPPI2
Summary: Antiphishing UI Design Principles • Get the user’s intention • Respect that intention • Integrate security decisions into the user’s workflow • Compare-and-choose, don’t just confirm • More information at: http://uid.csail.mit.edu/ TIPPI2