1 / 21

Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security (SOUPS 2006 ) Lee Hyung Kyu 2008. 10. 28. Contents. Introduction Related Work Web Wallet Design Principles User Interface Evaluation

orde
Download Presentation

Web Wallet: Preventing Phishing Attacks by Revealing User Intentions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WebWallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security (SOUPS 2006) LeeHyung Kyu 2008. 10. 28

  2. Contents • Introduction • Related Work • Web Wallet • Design Principles • User Interface • Evaluation • Conclusion • Discussion WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  3. Introduction (1/3) • Phishing • Stealconsumers’ personal identity data and financial account credentials [APWG] • Social engineering & Technical subterfuge • Growing Phishing [APWG, Dec. 2005] • 15244 unique phishing attacks • 7197 unique phishing sites • 121 legitimate brands being hijacked cf. [APWG, Dec. 2007] 25683 unique phishing attacks 25328 unique phishing sites 144 legitimate brands being hijacked White-List Approach with Anti-Phishing Web Crawler

  4. Introduction (2/3) • Problems • Appearance • Users tend to decide site identity • Opaque Data To Web Browser • Sensitive or not? • Security Indicator • Located in a Peripheral area WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  5. Introduction (3/3) • Problems • Security is rarely a user’s primary goal! • Users focus on their current task • Sloppy but Common web practices • IP addresses instead of hostnames • Domain names that are totally different from their brand names • Unprotected login pages • Do not suggest good Alternatives • Simple warnings WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  6. Related Work (1/2) • Dynamic Security Skins [R. Dhamija et al., “The Battle Against Phishing: Dynamic Security Skins”(SOUPS’05)] • Visual Difference • Use a randomly generated visual hash • Limitations • Burden on users • To notice the visual difference WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  7. Related Work (2/2) • SpoofGuard [N. Chou et al., “Client-side defense against web-based identity theft”(NDSS’04)] • Heuristics • Calculate Spoof Index with several features • Warn users when a certain page has a high probability of being a spoof • Limitations • High False Positive Rate • Many Unnecessary Warnings – can be ignored by users WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  8. Web Wallet : Design Principles (1/2) • Get the User’s Intention • The User Interface • Bridge the gap between the user’s mental model and the system model(browser) • Help the users transfer their real intention to the browser • Submitting Data • Data type • Sensitive or Not? • Data recipient • Which site? • Dedicated Interface for sensitive information submission • Check to see if the current site is good enough WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  9. Web Wallet : Design Principles (2/2) • Integrate Security into the Workflow • Disable the sensitive input fields in the web forms • Make itself the only way to input sensitive data • Not depend on users remembering to use it • Incorporate security questions by helping users achieve their goals instead of stopping them • Not use a generic warning • “Are you sure?” • Show a user a list of sites and choose WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  10. Web Wallet : User Interface (1/5) • Form Annotation • Use Naïve Bayesian classifier and Hidden Markov Model • Search the login forms Disable them • Provide Login Card • Security Key • Press F2 Key • Browse the site simply • Become habitual WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  11. Web Wallet : User Interface (2/5) • Browser Sidebar • Card Presentation • Card Folder • Encrypted by master password • Stored Card • If it matches Web page Request, WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  12. Web Wallet : User Interface (3/5) • Browser Sidebar • New Login Card • If it doesn’t match Web Page Request, • Show Domain Name & Site Description • “Save Card” checkbox WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  13. Web Wallet : User Interface (4/5) • Confirmation Interface • Untrusted & Not login before WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  14. Web Wallet : User Interface (5/5) • Negative Visual Feedback • Prevent from Fake Web Wallet Attack • Differentiate the Web interface from the Local interface WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  15. Evaluation (1/4) • Simulated Attacks • Normal attack • Undetected-form attack • Fail to detect Login form • Negative Visual Feedback • Online-keyboard attack • Bypass the Zooming character • Flying Icon • Fake-wallet attack • Displayed by web site • Negative Visual Feedback • Fake-suggestion attack • Choose the Phishing site from the list WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  16. Evaluation (2/4) • User study • 21 Subjects (14 / 7) • Role as John Smith’s Assistant • Spoof rate • The fraction of simulated attacks that successfully obtain his information WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  17. Evaluation (3/4) • First Interface • Problems • Not include the current site • Type directly in the web form despite warnings WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  18. Evaluation (4/4) • Modified Interface • Improvements • Add the current site to the site list • Always display a login card WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  19. Conclusion • Web Wallet • Provide Dedicated Interface for Sensitive Information • Spoof rate of Normal attacks from 63% to 7% • Make itself an integrated part of the user’s workflow • The warning from the Web Wallet is no longer a weak signal • Encourages the user to choose her intended site using the Site List WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  20. Discussion • Pros. • Improve the Existing Anti-phishing Tool • Lower Spoof rate • Eliminate Unnecessary Warning • Lower the burden on Users • Trial and Error • Cons. • Undetected-form attack & Fake-wallet attack • Negative Visual Feedback is Ineffective • Image Recognition • Press F2 key • What kind of attacks are there in 7%? WebWallet: Preventing Phishing Attacks by Revealing User Intentions

  21. Q & A WebWallet: Preventing Phishing Attacks by Revealing User Intentions

More Related