Web Wallet Preventing Phishing Attacks by Revealing User Intentions

1
Web Wallet Preventing Phishing Attacks by
Revealing User Intentions

• Rob Miller Min Wu
• User Interface Design Group
• MIT CSAIL
• Joint work with Simson Garfinkel, Greg Little

2
Do Security Indicators Work?
?
3
Security Indicators Dont Work

• Users dont know what to trust
• Web page often looks more credible than indicator
• Security is a secondary task
• Users dont have to pay attention to the
  indicators, so they dont
• Indicators arent reliable
• Sloppy but common web practices make them
  inaccurate
• Current indicators only say dont go there
• So where should I go instead?

4
Our Approach Web Wallet
5
Outline

• Security toolbar study CHI 06
• Web Wallet SOUPS 06
• Demo
• Design principles
• User study
• Related work

6
Three Kinds of Toolbar Information
SpoofStick
Neutral-information Toolbar
Netcraft Toolbar
7
Study Design

• Study should reflect the secondary goal
  property of security
• In real life, security is rarely a users primary
  goal
• Users must be given tasks other than security
• In this study, you are the personal assistant
  for John Smith. Here are 20 forwarded emails from
  him.
• Tasks involve security decisions
• Johns emails ask the user to manage his wish
  lists at various e-commerce sites, which require
  logging in to the sites

8
(No Transcript)
9
Phishing Attacks in the Study

• 5 of the 20 emails are attacks, e.g.
• Similar name attack
• IP address attack
• Hijacked-server attack

Bestbuy.com ? www.bestbuy.com.ww2.us
Bestbuy.com ? 212.85.153.6
Bestbuy.com ? www.btinternet.com
10
Results
Neutral information
SSL verification
System decision
11
Why Were Users Fooled?

• Users explain away indicators of attacks
• www.ssl-yahoo.com
• a subdirectory of Yahoo, like mail.yahoo.com
• sign.travelocity.com.zaga-zaga.us
• must be an outsourcing site for
  travelocity.com.
• www.btinternet.com (phishing for buy.com)
• sometimes I go to a website and the site directs
  me to another address which is different from the
  one I have typed.
• 200.114.156.78
• I have been to sites that used IP addresses.
• Potential fraudulent site
• it is triggered because the web content is
  informal, just like my spam filter says this
  email is probably a spam.
• New Site BR
• Yahoo must have a branch in Brazil.

12
Why Were Users Fooled?

• Users had the wrong security model
• The site is authentic because it has a privacy
  policy, VeriSign seal, contact information, and
  the submit button says sign in using our secure
  server.
• If a site works well with all its links, then
  the site is authentic. I cannot imagine that an
  attacker will mirror a whole site.
• Security was not the primary goal
• I noticed the warning. But I had to take the
  risk to get the task done.
• I did look at the toolbar but did not notice the
  warning under this attack.

13
Why Do Security Indicators Fail?

• Attack is more credible than indicator
• Web page has richer cues than browser toolbar
• Security is a separate, secondary task
• Primary task wins
• Separate security task is ignored
• Sloppy but common web practices allow the user to
  rationalize the attack
• Users do not know how to correctly interpret the
  toolbar display
• Advising the user not to proceed is not the right
  approach
• We need to provide a safe path

14
Our Approach Web Wallet

• Redesign browser UI so that the users intention
  is clear
• Log in to bestbuy.com
• Submit my credit card to amazon.com
• Block the action if the users intention
  disagrees with its actual effect
• But offer a safe path to the users goal
• Integrate security decisions into the users
  workflow
• So they cant be ignored

15
Web Wallet

• DEMO

16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
Web Wallet Design Principles

• Determine the users intention
• Respect that intention

22
Design Principles

• Integrate security UI into the users workflow
• Improve usability as well as security

23
Design Principles

• Use comparisons to put information in context
• Ask user to choose, not just are you sure?

24
Web Wallet User Study

• Same scenario as the toolbar study
• No tutorial
• 30 users
• Internet Explorer alone (10 users)
• Web Wallet (20 users)
• 5 phishing attacks
• IE group saw only similar-name attacks, e.g.
• Web Wallet group saw Wallet-specific attacks

bestbuy.com ? www.bestbuy.com.ww2.us
25
Attacks Against the Web Wallet
2. Undetected-form attack

• 1. Normal attack
• 3. Onscreen-keyboard attack

26
Attacks Against the Web Wallet

• 4. Fake-wallet attack

27
Attacks Against the Web Wallet

• 5. Fake-suggestion attack

28
Results
29
Which Features Helped?

• Site description stopped 14 attacks (out of the
  22 attacks where it was seen)
• Choosing interface stopped 14 (out of 14 attacks
  where seen)

30
Spoof Rate by Attack Type
31
Fake-Wallet Attack

• Web Wallet utterly failed to prevent the
  fake-wallet attack (spoof rate 64)
• Users had the wrong mental model for the security
  key
• Spoofing is still a problem, since the Web Wallet
  itself can be spoofed
• Dynamic skin
• Personalized image
• Active observer?

Press F2 before you do any sensitive data
submission
Press F2 to open the Web Wallet
32
Related Work

• Dynamic security skins (Dhamija Tygar)
• Microsoft InfoCard (Cameron et al)
• PwdHash (Ross et al)
• Password Multiplier (Halderman et al)
• GeoTrust TrustWatch

33
Summary Antiphishing UI Design Principles

• Get the users intention
• Respect that intention
• Integrate security decisions into the users
  workflow
• Compare-and-choose, dont just confirm
• More information at

http//uid.csail.mit.edu/