10/20/2009 Loomi Liao Web Wallet Preventing Phishing Attacks by Revealing User Intentions
Agenda • The problems • Some anti-phishing solutions • The Web Wallet solutions • The Web Wallet User Interface • User study • Discussion
Phishing Attacks • A semantic attack: it exploits the gap between user’s intentions and the system’s operation.
What makes phishing attacks hard to prevent? • A site’s appearance does not reliably reflect the site’s true identity. • Browser fails to give appropriate protection to the sensitive data submission.
Why many proposed anti-phishing solutions are ineffective? • Locations of warning indicators • Peripheral area or centrally displayed web page • Not user’s primary goal • Sloppy but common web practices • Use IP addresses instead of hostnames • Use a domain name that is different from their brand names • Use non-SSL protected login pages • No good alternatives suggested
Some Anti-Phishing Solutions • Stop phishing at the email level • Use security toolbars • Visually differentiate the phishing sites from the spoofed legitimate sites • Two-factor authentication
Design Principles of the Web Wallet • Get the User's Intention • what is the data? • where will it go? • Integrate Security into the Workflow • Disable the web form fields so that the user is forced to activate Web Wallet • Make itself the only affordance for input • Makes user explicitly acknowledge and indicate their intended site
Web Site Trust Analysis • SSL certificate • Trusted third-party certificates • Site popularity • Site registration information • Site category information
Web Wallet • Form Annotation • Security Key • Browser Sidebar • Confirmation • Interface • Negative Visual • Feedback Flying icon Zooming character
Five Simulated Phishing Attacks • Normal Phishing Attack • Undetected-form Attack • Online-keyboard Attack • Fake-wallet Attack • Fake-suggestion Attack
User Study on Web Wallet Spoof rates with and without the Web Wallet protection Spoof rates of the five attacks in the Web Wallet test
How well does the Web Wallet work? Negative visual feedback fails
Discussion • Can users trust Web Wallet? • Spoofed Web Wallet • Fail to give correct suggestions • Can security task integrate into the workflow? • Forcing users to use it by disabling the sensitive input field • Asking users to select their intended site
Reference • M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.