Web Wallet Preventing Phishing Attacks by Revealing User Intentions

10/20/2009Loomi Liao

Agenda

The problems Some anti-phishing solutions The Web Wallet solutions The Web Wallet User Interface User study Discussion

2

Phishing Attacks

A semantic attack: it exploits the gap between user’s intentions and the system’s operation.

3

What makes phishing attacks hard to prevent? A site’s appearance does not reliably

reflect the site’s true identity.

Browser fails to give appropriate protection to the sensitive data submission.

User

• Look and Feel• Semantic

meaning of its content

Browser

• Correct URL• SSL Certificate• Site registration

information

4

Why many proposed anti-phishing solutions are ineffective?

Locations of warning indicators Peripheral area or centrally displayed

web page Not user’s primary goal Sloppy but common web practices

Use IP addresses instead of hostnames Use a domain name that is different from

their brand names Use non-SSL protected login pages

No good alternatives suggested5

Some Anti-Phishing Solutions

Stop phishing at the email level

Use security toolbars

Visually differentiate the phishing

sites from the spoofed legitimate

sites

Two-factor authentication6

Design Principles of the Web Wallet

Get the User's Intention what is the data? where will it go?

Integrate Security into the Workflow Disable the web form fields so that the

user is forced to activate Web Wallet Make itself the only affordance for input Makes user explicitly acknowledge and

indicate their intended site

7

Web Site Trust Analysis

SSL certificate Trusted third-party certificates Site popularity Site registration information Site category information

8

Web Wallet

1. Form Annotation

2. Security Key

3. Browser Sidebar

4. Confirmation Interface

5. Negative Visual Feedback

Flying icon

Zooming character

9

Five Simulated Phishing Attacks

Normal Phishing Attack Undetected-form Attack Online-keyboard Attack Fake-wallet Attack Fake-suggestion Attack

10

User Study on Web Wallet

Spoof rates with and without the Web Wallet protection

Spoof rates of the five attacks in the Web Wallet test

11

User Study on Web Wallet

12

How well does the Web Wallet work?

Effectively prevent

• Normal phishing attack

• Online-keyboard attack

• Fake-suggestion attack

Fail to effectively prevent

• Undetected-form attack

• Fake-wallet attackNegative visual feedback fails

13

Discussion

Can users trust Web Wallet? Spoofed Web Wallet Fail to give correct suggestions

Can security task integrate into the workflow? Forcing users to use it by disabling the

sensitive input field Asking users to select their intended site

14

15

Reference

M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.

16

Questions?