10/20/2009 Loomi Liao The problems Some anti-phishing solutions The Web Wallet solutions The Web Wallet User Interface User study Discussion 2 A semantic attack: it exploits the gap between user’s intentions and the system’s operation. 3 A site’s appearance does not reliably reflect the site’s true identity. User • Look and Feel • Semantic meaning of its content Browser • Correct URL • SSL Certificate • Site registration information Browser fails to give appropriate protection to the sensitive data submission. 4 Locations of warning indicators Peripheral area or centrally displayed web page Not user’s primary goal Sloppy but common web practices Use IP addresses instead of hostnames Use a domain name that is different from their brand names Use non-SSL protected login pages No good alternatives suggested 5 Stop phishing at the email level Use security toolbars Visually differentiate the phishing sites from the spoofed legitimate sites Two-factor authentication 6 Get the User's Intention what is the data? where will it go? Integrate Security into the Workflow Disable the web form fields so that the user is forced to activate Web Wallet Make itself the only affordance for input Makes user explicitly acknowledge and indicate their intended site 7 SSL certificate Trusted third-party certificates Site popularity Site registration information Site category information 8 1. Form Annotation 2. Security Key 3. Browser Sidebar 4. Confirmation Interface 5. Negative Visual Feedback Flying icon Zooming character 9 Normal Phishing Attack Undetected-form Attack Online-keyboard Attack Fake-wallet Attack Fake-suggestion Attack 10 Spoof rates with and without the Web Wallet protection Spoof rates of the five attacks in the Web Wallet test 11 12 Effectively prevent • Normal phishing attack • Online-keyboard attack • Fake-suggestion attack Fail to effectively prevent • Undetected-form attack • Fake-wallet attack Negative visual feedback fails 13 Can users trust Web Wallet? Spoofed Web Wallet Fail to give correct suggestions Can security task integrate into the workflow? Forcing users to use it by disabling the sensitive input field Asking users to select their intended site 14 M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006. 15 16