june 19, 2006tippi21 web wallet preventing phishing attacks by revealing user intentions rob miller...
Post on 20-Dec-2015
216 views
TRANSCRIPT
June 19, 2006 TIPPI2 1
Web Wallet Preventing Phishing Attacks by Revealing
User Intentions
Rob Miller & Min WuUser Interface Design Group
MIT CSAIL
Joint work with Simson Garfinkel, Greg Little
June 19, 2006 TIPPI2 2
Do Security Indicators Work?
?
June 19, 2006 TIPPI2 3
Security Indicators Don’t Work
• Users don’t know what to trust– Web page often looks more credible than indicator
• Security is a secondary task– Users don’t have to pay attention to the indicators,
so they don’t
• Indicators aren’t reliable– Sloppy but common web practices make them
inaccurate
• Current indicators only say “don’t go there”– So where should I go instead?
June 19, 2006 TIPPI2 4
Our Approach: Web Wallet
June 19, 2006 TIPPI2 5
Outline
• Security toolbar study [CHI ’06]
• Web Wallet [SOUPS ’06]
– Demo– Design principles– User study
• Related work
June 19, 2006 TIPPI2 6
Three Kinds of Toolbar Information
SpoofStick
Netcraft Toolbar
Neutral-information Toolbar
eBay’s Account Guard
SpoofGuard
System-decision Toolbar
SSL-verification ToolbarTrustBar
June 19, 2006 TIPPI2 7
Study Design
• Study should reflect the “secondary goal property” of security– In real life, security is rarely a user’s primary goal
• Users must be given tasks other than security– “In this study, you are the personal assistant for
John Smith. Here are 20 forwarded emails from him.”
• Tasks involve security decisions– John’s emails ask the user to manage his wish
lists at various e-commerce sites, which require logging in to the sites
June 19, 2006 TIPPI2 8
June 19, 2006 TIPPI2 9
Phishing Attacks in the Study
• 5 of the 20 emails are attacks, e.g.:
Similar name attack
IP address attack
Hijacked-server attack
Bestbuy.com www.bestbuy.com.ww2.us
Bestbuy.com 212.85.153.6
Bestbuy.com www.btinternet.com
June 19, 2006 TIPPI2 10
Results
Neutral information
System decision
SSL verification
45% 38% 33%
0%
20%
40%
60%
80%
100%
Neutral-Informationtoolbar
SSL-Verificationtoolbar
System-Decisiontoolbar
Sp
oo
f R
ate
by
Wis
h-l
ist
Att
acks
June 19, 2006 TIPPI2 11
Why Were Users Fooled?
• Users explain away indicators of attacks– www.ssl-yahoo.com:
• “a subdirectory of Yahoo, like mail.yahoo.com”– sign.travelocity.com.zaga-zaga.us:
• “must be an outsourcing site [for travelocity.com].”– www.btinternet.com (phishing for buy.com):
• “sometimes I go to a website and the site directs me to another address which is different from the one I have typed.”
– 200.114.156.78: • “I have been to sites that used IP addresses.”
– Potential fraudulent site: • “it is triggered because the web content is ‘informal’, just
like my spam filter says ‘this email is probably a spam.’”– New Site [BR]:
• “Yahoo must have a branch in Brazil.”
June 19, 2006 TIPPI2 12
Why Were Users Fooled?
• Users had the wrong security model– “The site is authentic because it has a privacy
policy, VeriSign seal, contact information, and the submit button says ‘sign in using our secure server’.”
– “If a site works well with all its links, then the site is authentic. I cannot imagine that an attacker will mirror a whole site.”
• Security was not the primary goal– “I noticed the warning. But I had to take the risk to
get the task done.”– “I did look at the toolbar but did not notice the
warning under this attack.”
June 19, 2006 TIPPI2 13
Why Do Security Indicators Fail?
• Attack is more credible than indicator– Web page has richer cues than browser toolbar
• Security is a separate, secondary task– Primary task wins– Separate security task is ignored
• Sloppy but common web practices allow the user to rationalize the attack– Users do not know how to correctly interpret the
toolbar display
• Advising the user not to proceed is not the right approach– We need to provide a safe path
June 19, 2006 TIPPI2 14
Our Approach: Web Wallet
• Redesign browser UI so that the user’s intention is clear– “Log in to bestbuy.com”– “Submit my credit card to amazon.com”
• Block the action if the user’s intention disagrees with its actual effect– But offer a safe path to the user’s goal
• Integrate security decisions into the user’s workflow– So they can’t be ignored
June 19, 2006 TIPPI2 15
Web Wallet
DEMO
June 19, 2006 TIPPI2 16
June 19, 2006 TIPPI2 17
June 19, 2006 TIPPI2 18
June 19, 2006 TIPPI2 19
June 19, 2006 TIPPI2 20
June 19, 2006 TIPPI2 21
Web Wallet Design Principles
• Determine the user’s intention
• Respect that intention
June 19, 2006 TIPPI2 22
Design Principles
• Integrate security UI into the user’s workflow
• Improve usability as well as security
June 19, 2006 TIPPI2 23
Design Principles
• Use comparisons to put information in context
• Ask user to choose, not just “are you sure?”
June 19, 2006 TIPPI2 24
Web Wallet User Study
• Same scenario as the toolbar study• No tutorial• 30 users
– Internet Explorer alone (10 users) – Web Wallet (20 users)
• 5 phishing attacks– IE group saw only similar-name attacks, e.g.:
– Web Wallet group saw Wallet-specific attacks
bestbuy.com www.bestbuy.com.ww2.us
June 19, 2006 TIPPI2 25
Attacks Against the Web Wallet
1. Normal attack
3. Onscreen-keyboard attack
2. Undetected-form attack
June 19, 2006 TIPPI2 26
Attacks Against the Web Wallet
4. Fake-wallet attack
June 19, 2006 TIPPI2 27
Attacks Against the Web Wallet
5. Fake-suggestion attack
June 19, 2006 TIPPI2 28
Results
63%
29%7%
0%
20%
40%
60%
80%
100%
Normal attack with IE(control group)
Normal attack with theWeb Wallet
All phishing attacks withthe Web Wallet
Sp
oo
f R
ates
June 19, 2006 TIPPI2 29
Which Features Helped?
• Site description stopped 14 attacks (out of the 22 attacks where it was seen)
• Choosing interface stopped 14 (out of 14 attacks where seen)
June 19, 2006 TIPPI2 30
Spoof Rate by Attack Type
14%
21%
36%
64%
7%
0%
20%
40%
60%
80%
100%
Normal attack Online-keyboardattack
Fake-suggestionattack
Undetected-form attack
Fake-walletattack
Sp
oo
f R
ate
s
June 19, 2006 TIPPI2 31
Fake-Wallet Attack
• Web Wallet utterly failed to prevent the fake-wallet attack (spoof rate 64%)
• Users had the wrong mental model for the security key
• Spoofing is still a problem, since the Web Wallet itself can be spoofed– Dynamic skin– Personalized image– Active observer?
Press F2 before you do any sensitive data submission
Press F2 to open the Web Wallet
June 19, 2006 TIPPI2 32
Related Work
• Dynamic security skins (Dhamija & Tygar)
• Microsoft InfoCard (Cameron et al)
• PwdHash (Ross et al)
• Password Multiplier (Halderman et al)
• GeoTrust TrustWatch
June 19, 2006 TIPPI2 33
Summary: Antiphishing UI Design Principles
• Get the user’s intention• Respect that intention• Integrate security decisions
into the user’s workflow• Compare-and-choose, don’t
just confirm
• More information at:
http://uid.csail.mit.edu/