Transcript Web Wallet Preventing Phishing Attacks by Revealing User

10/20/2009
Loomi Liao






The problems
Some anti-phishing solutions
The Web Wallet solutions
The Web Wallet User Interface
User study
Discussion
2

A semantic attack: it exploits the gap
between user’s intentions and the system’s
operation.
3

A site’s appearance does not reliably reflect
the site’s true identity.
User
• Look and Feel
• Semantic meaning
of its content

Browser
• Correct URL
• SSL Certificate
• Site registration
information
Browser fails to give appropriate protection
to the sensitive data submission.
4

Locations of warning indicators
 Peripheral area or centrally displayed web page


Not user’s primary goal
Sloppy but common web practices
 Use IP addresses instead of hostnames
 Use a domain name that is different from their
brand names
 Use non-SSL protected login pages

No good alternatives suggested
5

Stop phishing at the email level

Use security toolbars

Visually differentiate the phishing sites from
the spoofed legitimate sites

Two-factor authentication
6

Get the User's Intention
 what is the data?
 where will it go?

Integrate Security into the Workflow
 Disable the web form fields so that the user is
forced to activate Web Wallet
 Make itself the only affordance for input
 Makes user explicitly acknowledge and indicate
their intended site
7





SSL certificate
Trusted third-party certificates
Site popularity
Site registration information
Site category information
8
1.
Form Annotation
2.
Security Key
3.
Browser Sidebar
4.
Confirmation
Interface
5.
Negative Visual
Feedback
Flying icon
Zooming
character
9





Normal Phishing Attack
Undetected-form Attack
Online-keyboard Attack
Fake-wallet Attack
Fake-suggestion Attack
10
Spoof rates with and without
the Web Wallet protection
Spoof rates of the five attacks in
the Web Wallet test
11
12
Effectively
prevent
• Normal phishing
attack
• Online-keyboard
attack
• Fake-suggestion
attack
Fail to effectively
prevent
• Undetected-form
attack
• Fake-wallet attack
Negative visual
feedback fails
13

Can users trust Web Wallet?
 Spoofed Web Wallet
 Fail to give correct suggestions

Can security task integrate into the workflow?
 Forcing users to use it by disabling the sensitive
input field
 Asking users to select their intended site
14

M. Wu, R. Miller, and G. Little. Web Wallet:
Preventing Phishing Attacks by Revealing
User Intentions. In Proceedings of the
Symposium On Usable Privacy and Security
2006, Pittsburgh, PA, July 12-14, 2006.
15
16