Min Wu
ABSTRACT
We introduce a new anti-phishing solution, the Web Wallet. The Web Wallet is a browser sidebar which users can use to submit their sensitive information online. It detects phishing attacks by determining where users intend to submit their information and suggests an alternative safe path to their intended site if the current site does not match it. It integrates security questions into the user's workflow so that its protection cannot be ignored by the user. We conducted a user study on the Web Wallet prototype and found that the Web Wallet is a promising approach. In the study, it significantly decreased the spoof rate of typical phishing attacks from 63% to 7%, and it effectively prevented all phishing attacks as long as it was used. A majority of the subjects successfully learned to depend on the Web Wallet to submit their login information. However, the study also found that spoofing the Web Wallet interface itself was an effective attack. Moreover, it was not easy to completely stop all subjects from typing sensitive information directly into web forms.
- Adida, B., Hohenberger, S., Rivest, R. Lightweight Encryption for Email. USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005. Google Scholar
Digital Library
- Anti-Phishing Working Group. Phishing Activity Trends Report, December 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdfGoogle Scholar
- Behera, P., Agarwal, N. A confidence model for web browsing. Toward a More Secure Web - W3C Workshop on Transparency and Usability of Web Authentication, 2006.Google Scholar
- Cameron, K., Johns, M. Design Rationale behind the Identity Metasystem Architecture.2006. http://www.identityblog.com/wp-content/resources/design_rationale.pdfGoogle Scholar
- Dhamija, R., Tygar, J. D. The Battle Against Phishing: Dynamic Security Skins. SOUPS 2005. Google ScholarDigital Library
- Emigh, A. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasure, ITTC Report on Online Identity Theft Technology and Countermeasures. October 3, 2005.Google Scholar
- Emigh, A. Trusted Path in Heterogeneous Environments. 1st TIPPI Workshop, 2005.Google Scholar
- FDIC. Putting an End to Account-Hijacking Identity Theft. 2004. http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdfGoogle Scholar
- Felten, E. W., Balfanz, D., Dean, D., Wallach, D. S. Web Spoofing: An Internet Con Game. Proceedings of the 20th National Information Systems Security Conference, 1997Google Scholar
- Fight Identity Theft Blog. ING Direct Fights Keystroke Loggers. December 11, 2005. http://fightidentitytheft.com/blog/?p=23Google Scholar
- GeoTrust. TrustWatch Tools. http://www.trustwatch.com/Google Scholar
- Herzberg, A. The 'Unprotected Login' Inter-Net Fraud League (I-NFL) Hall of Shame.2005. http://www.cs.biu.ac.il/~herzbea//shame/Google Scholar
- Herzberg, A. TrustBar: Re-establishing Trust in the Web. 2006. http://www.cs.biu.ac.il/~herzbea/TrustBar/Google Scholar
- Jakobsson, M., Myers, S. Stealth Attacks and Delayed Password Disclosure. http://www.informatics.indiana.edu/markus/stealth-attacks.htmGoogle Scholar
- Johns, M. A. Guide to Supporting InfoCard v1.0 Within Web Applications and Browsers. March, 2006. http://www.identityblog.com/?page_id=412#infocardg_topic5aGoogle Scholar
- Krebs, B. The New Face of Phishing. The Washington Post. Feb 2006.Google Scholar
- Liu, W., Deng, X., Huang. G., Fu. A. Y. An Antiphishing Strategy Based on Visual Similarity Assessment. IEEE Internet Computing, Vol. 10, No. 2, pp. 58--65, March/April, 2006. Google ScholarDigital Library
- PassMark Security. Two-Factor Two-Way Authentication. http://www.passmarksecurity.com/Google Scholar
- Pettersson, J. et al. Making PRIME Usable. SOUPS, 2005. Google ScholarDigital Library
- Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J. Stronger Password Authentication Using Browser Extensions. Proceedings of the 14th Usenix Security Symposium, 2005. Google ScholarDigital Library
- Sharif, T. Phishing Filter in IE7, September 9, 2006. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspxGoogle Scholar
- Treisman, A., Gormican, S. Feature analysis in early vision: Evidence from search asymmetries. Psychological Review, 95, 15--48. 1988.Google ScholarCross Ref
- W3C. Platform for Privacy Preferences (P3P) Project. http://www.w3.org/P3P/Google Scholar
- Wu, M. Fighting Phishing at the User Interface. PhD Thesis. MIT. 2006. Google ScholarDigital Library
- Wu, M., Garfinkel, S., Miller, R. Secure Web Authentication with Mobile Phones. DIMACS Workshop on Usable Privacy and Security Software, 2004.Google Scholar
- Wu, M., Miller, R., Garfinkel, S. Do Security Toolbars Actually Prevent Phishing Attacks? CHI 2006. Google ScholarDigital Library
- Ye, E., Smith, S. Trusted Paths for Browsers. Proceedings of the 11th USENIX Security Symposium, 2002. Google ScholarDigital Library
- Ye, E., Yuan Y., Smith, S. Web Spoofing Revisited: SSL and Beyond. Technical Report TR2002-417, 2002.Google Scholar
Index Terms
- Web wallet: preventing phishing attacks by revealing user intentions
Recommendations
Do security toolbars actually prevent phishing attacks?
CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsSecurity toolbars in a web browser show security-related information about a website to help users detect phishing attacks. Because the toolbars are designed for humans to use, they should be evaluated for usability -- that is, whether these toolbars ...
Analytic Hierarchy Process (AHP) to Find Most Probable Web Attack on an E-Commerce Site
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesAttackers are using various techniques to attack on an E-Commerce site; they do have various options to initiate attack. On other hand web administrators finding it difficult to prioritize the defense mechanism against each web attack. The Analytic ...
Designing Web Sites for Customer Loyalty Across Business Domains: A Multilevel Analysis
Web sites are important components of Internet strategy for organizations. This paper develops a theoretical model for understanding the effect of Web site design elements on customer loyalty to a Web site. We show the relevance of the business domain ...
Comments