KAIST
WebWeb Wallet: Wallet: Preventing Phishing Attacks Preventing Phishing Attacks by Revealing User Intentionsby Revealing User Intentions
Min Wu, Robert C. Miller and Greg Little
Symposium On Usable Privacy and Security (SOUPS 2006)
Lee Hyung Kyu
2008. 10. 28
22 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
ContentsContents
Introduction
Related Work
Web Wallet
Design Principles
User Interface
Evaluation
Conclusion
Discussion
Introduction (1/3)Introduction (1/3)
Phishing
Steal consumers’ personal identity data and financial account credentials [APWG]
Social engineering & Technical subterfuge
Growing Phishing [APWG, Dec. 2005]15244 unique phishing attacks
7197 unique phishing sites
121 legitimate brands being hijacked
cf. [APWG, Dec. 2007]
25683 unique phishing attacks
25328 unique phishing sites
144 legitimate brands being hijacked
33 / 21 / 21White-List Approach with Anti-Phishing Web Crawler
Introduction (2/3)Introduction (2/3)
Problems
AppearanceUsers tend to decide site identity
Opaque Data To Web BrowserSensitive or not?
Security IndicatorLocated in a Peripheral area
44 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Introduction (3/3)Introduction (3/3)
Problems
Security is rarely a user’s primary goal!Users focus on their current task
Sloppy but Common web practicesIP addresses instead of hostnames
Domain names that are totally different from their brand names
Unprotected login pages
Do not suggest good AlternativesSimple warnings
55 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Related Work (1/2)Related Work (1/2)
Dynamic Security Skins [R. Dhamija et al., “The Battle Against Phishing: Dynamic Security Skins”(SOUPS’05)]
Visual DifferenceUse a randomly generated visual hash
66 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Limitations
Burden on usersTo notice the visual difference
Related Work (2/2)Related Work (2/2)
SpoofGuard [N. Chou et al., “Client-side defense against web-based identity theft”(NDSS’04)]
HeuristicsCalculate Spoof Index with several features
Warn users when a certain page has a high probability of being a spoof
77 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Limitations
High False Positive RateMany Unnecessary Warnings – can be ignored by users
Web Wallet : Design Principles Web Wallet : Design Principles (1/2)(1/2)
Get the User’s Intention
The User InterfaceBridge the gap between the user’s mental model and the system model(browser)
Help the users transfer their real intention to the browser
Submitting DataData type
Sensitive or Not?
Data recipient
Which site?
Dedicated Interface for sensitive information submission
Check to see if the current site is good enough
88 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : Design Principles Web Wallet : Design Principles (2/2)(2/2)
Integrate Security into the Workflow
Disable the sensitive input fields in the web forms Make itself the only way to input sensitive data
Not depend on users remembering to use it
Incorporate security questions by helping users achieve their goals instead of stopping them
Not use a generic warning
“Are you sure?”
Show a user a list of sites and choose
99 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : User Interface (1/5)Web Wallet : User Interface (1/5)
Form Annotation
Use Naïve Bayesian classifier and Hidden Markov Model
Search the login forms Disable them
Provide Login Card
Security Key
Press F2 KeyBrowse the site simply
Become habitual
1010 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : User Interface (2/5)Web Wallet : User Interface (2/5)
Browser Sidebar
Card Presentation
Card FolderEncrypted by master password
Stored Card If it matches Web page Request,
1111 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : User Interface (3/5)Web Wallet : User Interface (3/5)
Browser Sidebar
New Login CardIf it doesn’t match Web Page Request,
Show Domain Name & Site Description
“Save Card” checkbox
1212 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : User Interface (4/5)Web Wallet : User Interface (4/5)
Confirmation Interface
Untrusted & Not login before
1313 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Web Wallet : User Interface (5/5)Web Wallet : User Interface (5/5)
Negative Visual Feedback
Prevent from Fake Web Wallet AttackDifferentiate the Web interface from the Local interface
1414 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Evaluation (1/4)Evaluation (1/4)
Simulated Attacks
Normal attack
Undetected-form attackFail to detect Login form
Negative Visual Feedback
Online-keyboard attackBypass the Zooming character
Flying Icon
Fake-wallet attackDisplayed by web site
Negative Visual Feedback
Fake-suggestion attackChoose the Phishing site from the list
1515 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Evaluation (2/4)Evaluation (2/4)
User study
21 Subjects (14 / 7)
Role as John Smith’s Assistant
Spoof rateThe fraction of simulated attacks that successfully obtain his information
1616 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Evaluation (3/4)Evaluation (3/4)
First Interface
ProblemsNot include the current site
Type directly in the web form despite warnings
1717 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Evaluation (4/4)Evaluation (4/4)
Modified Interface
ImprovementsAdd the current site to the site list
Always display a login card
1818 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
1919 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
ConclusionConclusion
Web Wallet
Provide Dedicated Interface for Sensitive Information
Spoof rate of Normal attacks from 63% to 7%
Make itself an integrated part of the user’s workflowThe warning from the Web Wallet is no longer a weak signal
Encourages the user to choose her intended site using the Site List
2020 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
DiscussionDiscussion
Pros.
Improve the Existing Anti-phishing Tool Lower Spoof rate
Eliminate Unnecessary Warning
Lower the burden on Users
Trial and Error
Cons.
Undetected-form attack & Fake-wallet attackNegative Visual Feedback is Ineffective
Image Recognition
Press F2 key
What kind of attacks are there in 7%?
2121 / 21 / 21Web Wallet: Preventing Phishing Attacks by Revealing User Intentions
Q & Q & AA