Post on 19-Dec-2015
Web Wallet Preventing Phishing Attacks by Revealing User Intentions
10/20/2009Loomi Liao
Agenda
The problems Some anti-phishing solutions The Web Wallet solutions The Web Wallet User Interface User study Discussion
2
Phishing Attacks
A semantic attack: it exploits the gap between user’s intentions and the system’s operation.
3
What makes phishing attacks hard to prevent? A site’s appearance does not reliably
reflect the site’s true identity.
Browser fails to give appropriate protection to the sensitive data submission.
User
• Look and Feel• Semantic
meaning of its content
Browser
• Correct URL• SSL Certificate• Site registration
information
4
Why many proposed anti-phishing solutions are ineffective?
Locations of warning indicators Peripheral area or centrally displayed
web page Not user’s primary goal Sloppy but common web practices
Use IP addresses instead of hostnames Use a domain name that is different from
their brand names Use non-SSL protected login pages
No good alternatives suggested5
Some Anti-Phishing Solutions
Stop phishing at the email level
Use security toolbars
Visually differentiate the phishing
sites from the spoofed legitimate
sites
Two-factor authentication6
Design Principles of the Web Wallet
Get the User's Intention what is the data? where will it go?
Integrate Security into the Workflow Disable the web form fields so that the
user is forced to activate Web Wallet Make itself the only affordance for input Makes user explicitly acknowledge and
indicate their intended site
7
Web Site Trust Analysis
SSL certificate Trusted third-party certificates Site popularity Site registration information Site category information
8
Web Wallet
1. Form Annotation
2. Security Key
3. Browser Sidebar
4. Confirmation Interface
5. Negative Visual Feedback
Flying icon
Zooming character
9
Five Simulated Phishing Attacks
Normal Phishing Attack Undetected-form Attack Online-keyboard Attack Fake-wallet Attack Fake-suggestion Attack
10
User Study on Web Wallet
Spoof rates with and without the Web Wallet protection
Spoof rates of the five attacks in the Web Wallet test
11
User Study on Web Wallet
12
How well does the Web Wallet work?
Effectively prevent
• Normal phishing attack
• Online-keyboard attack
• Fake-suggestion attack
Fail to effectively prevent
• Undetected-form attack
• Fake-wallet attackNegative visual feedback fails
13
Discussion
Can users trust Web Wallet? Spoofed Web Wallet Fail to give correct suggestions
Can security task integrate into the workflow? Forcing users to use it by disabling the
sensitive input field Asking users to select their intended site
14
15
Reference
M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.
16
Questions?