June 19, 2006 TIPPI2 1

Web Wallet Preventing Phishing Attacks by Revealing

User Intentions

Rob Miller & Min WuUser Interface Design Group

MIT CSAIL

Joint work with Simson Garfinkel, Greg Little

June 19, 2006 TIPPI2 2

Do Security Indicators Work?

?

June 19, 2006 TIPPI2 3

Security Indicators Don’t Work

• Users don’t know what to trust– Web page often looks more credible than indicator

• Security is a secondary task– Users don’t have to pay attention to the indicators,

so they don’t

• Indicators aren’t reliable– Sloppy but common web practices make them

inaccurate

• Current indicators only say “don’t go there”– So where should I go instead?

June 19, 2006 TIPPI2 4

Our Approach: Web Wallet

June 19, 2006 TIPPI2 5

Outline

• Security toolbar study [CHI ’06]

• Web Wallet [SOUPS ’06]

– Demo– Design principles– User study

• Related work

June 19, 2006 TIPPI2 6

Three Kinds of Toolbar Information

SpoofStick

Netcraft Toolbar

Neutral-information Toolbar

eBay’s Account Guard

SpoofGuard

System-decision Toolbar

SSL-verification ToolbarTrustBar

June 19, 2006 TIPPI2 7

Study Design

• Study should reflect the “secondary goal property” of security– In real life, security is rarely a user’s primary goal

• Users must be given tasks other than security– “In this study, you are the personal assistant for

John Smith. Here are 20 forwarded emails from him.”

• Tasks involve security decisions– John’s emails ask the user to manage his wish

lists at various e-commerce sites, which require logging in to the sites

June 19, 2006 TIPPI2 8

June 19, 2006 TIPPI2 9

Phishing Attacks in the Study

• 5 of the 20 emails are attacks, e.g.:

Similar name attack

IP address attack

Hijacked-server attack

Bestbuy.com www.bestbuy.com.ww2.us

Bestbuy.com 212.85.153.6

Bestbuy.com www.btinternet.com

June 19, 2006 TIPPI2 10

Results

Neutral information

System decision

SSL verification

45% 38% 33%

0%

20%

40%

60%

80%

100%

Neutral-Informationtoolbar

SSL-Verificationtoolbar

System-Decisiontoolbar

Sp

oo

f R

ate

by

Wis

h-l

ist

Att

acks

June 19, 2006 TIPPI2 11

Why Were Users Fooled?

• Users explain away indicators of attacks– www.ssl-yahoo.com:

• “a subdirectory of Yahoo, like mail.yahoo.com”– sign.travelocity.com.zaga-zaga.us:

• “must be an outsourcing site [for travelocity.com].”– www.btinternet.com (phishing for buy.com):

• “sometimes I go to a website and the site directs me to another address which is different from the one I have typed.”

– 200.114.156.78: • “I have been to sites that used IP addresses.”

– Potential fraudulent site: • “it is triggered because the web content is ‘informal’, just

like my spam filter says ‘this email is probably a spam.’”– New Site [BR]:

• “Yahoo must have a branch in Brazil.”

June 19, 2006 TIPPI2 12

Why Were Users Fooled?

• Users had the wrong security model– “The site is authentic because it has a privacy

policy, VeriSign seal, contact information, and the submit button says ‘sign in using our secure server’.”

– “If a site works well with all its links, then the site is authentic. I cannot imagine that an attacker will mirror a whole site.”

• Security was not the primary goal– “I noticed the warning. But I had to take the risk to

get the task done.”– “I did look at the toolbar but did not notice the

warning under this attack.”

June 19, 2006 TIPPI2 13

Why Do Security Indicators Fail?

• Attack is more credible than indicator– Web page has richer cues than browser toolbar

• Security is a separate, secondary task– Primary task wins– Separate security task is ignored

• Sloppy but common web practices allow the user to rationalize the attack– Users do not know how to correctly interpret the

toolbar display

• Advising the user not to proceed is not the right approach– We need to provide a safe path

June 19, 2006 TIPPI2 14

Our Approach: Web Wallet

• Redesign browser UI so that the user’s intention is clear– “Log in to bestbuy.com”– “Submit my credit card to amazon.com”

• Block the action if the user’s intention disagrees with its actual effect– But offer a safe path to the user’s goal

• Integrate security decisions into the user’s workflow– So they can’t be ignored

June 19, 2006 TIPPI2 15

Web Wallet

DEMO

June 19, 2006 TIPPI2 16

June 19, 2006 TIPPI2 17

June 19, 2006 TIPPI2 18

June 19, 2006 TIPPI2 19

June 19, 2006 TIPPI2 20

June 19, 2006 TIPPI2 21

Web Wallet Design Principles

• Determine the user’s intention

• Respect that intention

June 19, 2006 TIPPI2 22

Design Principles

• Integrate security UI into the user’s workflow

• Improve usability as well as security

June 19, 2006 TIPPI2 23

Design Principles

• Use comparisons to put information in context

• Ask user to choose, not just “are you sure?”

June 19, 2006 TIPPI2 24

Web Wallet User Study

• Same scenario as the toolbar study• No tutorial• 30 users

– Internet Explorer alone (10 users) – Web Wallet (20 users)

• 5 phishing attacks– IE group saw only similar-name attacks, e.g.:

– Web Wallet group saw Wallet-specific attacks

bestbuy.com www.bestbuy.com.ww2.us

June 19, 2006 TIPPI2 25

Attacks Against the Web Wallet

1. Normal attack

3. Onscreen-keyboard attack

2. Undetected-form attack

June 19, 2006 TIPPI2 26

Attacks Against the Web Wallet

4. Fake-wallet attack

June 19, 2006 TIPPI2 27

Attacks Against the Web Wallet

5. Fake-suggestion attack

June 19, 2006 TIPPI2 28

Results

63%

29%7%

0%

20%

40%

60%

80%

100%

Normal attack with IE(control group)

Normal attack with theWeb Wallet

All phishing attacks withthe Web Wallet

Sp

oo

f R

ates

June 19, 2006 TIPPI2 29

Which Features Helped?

• Site description stopped 14 attacks (out of the 22 attacks where it was seen)

• Choosing interface stopped 14 (out of 14 attacks where seen)

June 19, 2006 TIPPI2 30

Spoof Rate by Attack Type

14%

21%

36%

64%

7%

0%

20%

40%

60%

80%

100%

Normal attack Online-keyboardattack

Fake-suggestionattack

Undetected-form attack

Fake-walletattack

Sp

oo

f R

ate

s

June 19, 2006 TIPPI2 31

Fake-Wallet Attack

• Web Wallet utterly failed to prevent the fake-wallet attack (spoof rate 64%)

• Users had the wrong mental model for the security key

• Spoofing is still a problem, since the Web Wallet itself can be spoofed– Dynamic skin– Personalized image– Active observer?

Press F2 before you do any sensitive data submission

Press F2 to open the Web Wallet

June 19, 2006 TIPPI2 32

Related Work

• Dynamic security skins (Dhamija & Tygar)

• Microsoft InfoCard (Cameron et al)

• PwdHash (Ross et al)

• Password Multiplier (Halderman et al)

• GeoTrust TrustWatch

June 19, 2006 TIPPI2 33

Summary: Antiphishing UI Design Principles

• Get the user’s intention• Respect that intention• Integrate security decisions

into the user’s workflow• Compare-and-choose, don’t

just confirm

• More information at:

http://uid.csail.mit.edu/