Web Wallet Preventing Phishing Attacks by Revealing User
Download
Report
Transcript Web Wallet Preventing Phishing Attacks by Revealing User
10/20/2009
Loomi Liao
The problems
Some anti-phishing solutions
The Web Wallet solutions
The Web Wallet User Interface
User study
Discussion
2
A semantic attack: it exploits the gap
between user’s intentions and the system’s
operation.
3
A site’s appearance does not reliably reflect
the site’s true identity.
User
• Look and Feel
• Semantic meaning
of its content
Browser
• Correct URL
• SSL Certificate
• Site registration
information
Browser fails to give appropriate protection
to the sensitive data submission.
4
Locations of warning indicators
Peripheral area or centrally displayed web page
Not user’s primary goal
Sloppy but common web practices
Use IP addresses instead of hostnames
Use a domain name that is different from their
brand names
Use non-SSL protected login pages
No good alternatives suggested
5
Stop phishing at the email level
Use security toolbars
Visually differentiate the phishing sites from
the spoofed legitimate sites
Two-factor authentication
6
Get the User's Intention
what is the data?
where will it go?
Integrate Security into the Workflow
Disable the web form fields so that the user is
forced to activate Web Wallet
Make itself the only affordance for input
Makes user explicitly acknowledge and indicate
their intended site
7
SSL certificate
Trusted third-party certificates
Site popularity
Site registration information
Site category information
8
1.
Form Annotation
2.
Security Key
3.
Browser Sidebar
4.
Confirmation
Interface
5.
Negative Visual
Feedback
Flying icon
Zooming
character
9
Normal Phishing Attack
Undetected-form Attack
Online-keyboard Attack
Fake-wallet Attack
Fake-suggestion Attack
10
Spoof rates with and without
the Web Wallet protection
Spoof rates of the five attacks in
the Web Wallet test
11
12
Effectively
prevent
• Normal phishing
attack
• Online-keyboard
attack
• Fake-suggestion
attack
Fail to effectively
prevent
• Undetected-form
attack
• Fake-wallet attack
Negative visual
feedback fails
13
Can users trust Web Wallet?
Spoofed Web Wallet
Fail to give correct suggestions
Can security task integrate into the workflow?
Forcing users to use it by disabling the sensitive
input field
Asking users to select their intended site
14
M. Wu, R. Miller, and G. Little. Web Wallet:
Preventing Phishing Attacks by Revealing
User Intentions. In Proceedings of the
Symposium On Usable Privacy and Security
2006, Pittsburgh, PA, July 12-14, 2006.
15
16