Presentation is loading. Please wait.

Presentation is loading. Please wait.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Published byElla Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial."— Presentation transcript:

1 Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab

2 User Is Part Of System “ Weakest link ” in operational security systems If attackers can easily trick users into compromising their security, they do not have to try hard to directly attack the system. A typical attack: Phishing

3 Security Indicators “ Look for the lock at the bottom of your browser and ‘ https ’ in front of the website address. ”

4 Security Indicators “ Look for the lock at the bottom of your browser and ‘ https ’ in front of the website address. ”

5 More Security Indicators

6 Spoofstick

7 More Security Indicators Netcraft Toolbar

8 More Security Indicators Trustbar

9 More Security Indicators eBay Account Guard

10 More Security Indicators Spoofguard

11 Outline Introduction of security indicators  Anti-phishing user study Web authentication using cell phones Conclusions

12 Security Toolbar Abstractions SpoofStick Netcraft Toolbar eBay Account Guard SpoofGuard Neutral-Information Toolbar System-Decision Toolbar Positive-Information Toolbar TrustBar

13 Study Scenario We set up dummy accounts as John Smith at various websites “ You are the personal assistant of John Smith. John is on vacation now. During his vacation, he sometimes sends you emails asking you to do some tasks for him online. ” “ Here is John Smith ’ s profile. ”

14 Study Scenario Users dealt with 20 emails forwarded by John Smith. 5 emails were phishing emails. Most of the emails were about managing John ’ s wish lists at various sites

15

16 Main Frame

17 Address bar frame http://tigermail.co.kr/cgi-bin/webscrcmd_login.php

18 Toolbar frame Status bar frame

19 Attack Types 1. Similar-name attack 2. IP-address attack 3. Hijacked-server attack 4. Popup-window attack 5. Paypal attack bestbuy.com  www.bestbuy.com.ww2.us bestbuy.com  212.85.153.6 bestbuy.com  www.btinternet.com

20 Security Toolbar Display Legitimate Site Phishing Site vs.

21 Attack Pattern

22 Recruitment 30 users –Recruited at MIT, paid $15 for one hour –10 for each toolbar –Average age 27 [18-50] –14 females and 16 males –20 MIT students, 10 not Neutral-Information Toolbar System-Decision Toolbar Positive-Information Toolbar

23 Spoof Rates With Different Toolbars

24 Spoof Rates With Different Attacks p = 0.052 (ANOVA)

25 Why Did Users Get Fooled? 20 out of 30 got fooled by at least one attack. Among the 20 users –17 (85%) claimed web content is professional or familiar; 7 (35%) depended on security-related content –12 (60%) explained away odd behaviors “ I have been to sites that use plain IP addresses. ” “ Sometimes I go to a website, and it directs me to another site with a different address. ” “ Yahoo may have just opened a branch in Brazil and thus registered there. ” “ I must have mistakenly triggered the popup window. ”

26 Results Users did not rely on security indicators –Depended on web content instead –Cannot distinguish poorly designed websites from malicious phishing attacks

27 Outline Introduction of security indicators Anti-phishing user study  Web authentication using cell phones Authentication protocol User study An improved protocol Conclusions

28 Authentication Using Cell Phones Prevent people ’ s passwords from being captured by public computers Use trusted cell phone to authenticate login sessions from untrusted public computers Checking security indicator is part of the authentication protocol

29 Authentication Protocol

30 Login attempt

31 Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”

32 Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”

33 Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” “I approve ‘FAITH’.”

34 Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” Log in “I approve ‘FAITH’.”

35 User Interface

36 Attack Types Duplicated attackBlocking attack

37 User Study Log in to Amazon.com with a personal computer and a cell phone 6 logins in a row Attacks were randomly selected and assigned to the 5 th or the 6 th login 20 users –Recruited at MIT, paid $10 for one hour –Average age 25 [18 - 43] –9 females and 11 males –16 MIT students, 4 not

38 Results Duplicated attack: 36% (4 successful out of 11 attacks) –“ There must be a bug in the proxy since the session name displayed in the computer does not match the one in the cell phone. ” Blocking attack: 22% (2 successful out of 9 attacks) –“ The network connection must be really slow since the session name has not been displayed. ” Users failed to follow the protocol –Cannot distinguish system failures from malicious attacks

39 An Improved Protocol Thanks to Steve Strassman from Orange™

40 Under Attacks Duplicated AttackBlocking attack

41 Results Login by choosing a correct session name has zero spoof rate! –9 duplicated attacks and 11 blocking attacks –There was little chance that the attacker’s list included the user’s session name in the browser –Users were forced to attend to the security indicator

42 Conclusions Security indicator checking scheme fails –Users ignore advice (34% spoof rate) –Users do not follow instructions (30% spoof rate) –Users cannot distinguish “ bugs ” from “ attacks ” –Security indicator is not part of the user ’ s “ critical action sequence ”

43 Lesson Learned Moving the security indicator into the critical action sequence can better protect users

44 Users Cared About Security 18 out of 30 uncheck “ remember me ” 13 out of 30 logged out (or tried to) after at least one task

45 Legitimate Site Phishing Site

Download ppt "Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial."

Similar presentations

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Online Privacy A Module of the CYC Course – Personal Security 8-9-10.

Online Privacy A Module of the CYC Course – Personal Security
Web Shift Booking System

Web Shift Booking System
Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.
Internet Safety Gleneagles Computer Club February 16, 2015 by Deborah Benson.

Internet Safety Gleneagles Computer Club February 16, 2015 by Deborah Benson.
1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.

1 Secure Interaction Design Kami Vaniea. 2 Overview Designing secure interfaces  Design principles Firefox extensions  Cookies  Phishing  Tracking.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening email.

P ASSWORD S ECURITY. I F SOMEONE HAS YOUR PASSWORD, EITHER FROM YOU GIVING IT OUT OR THEM FIGURING OUT, THEY COULD : 1.Send abusive or threatening .
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Learn to protect yourself... a 21 st Century Scam.. Phishing.

Learn to protect yourself... a 21 st Century Scam.. Phishing.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Trust and Semantic Attacks- Phishing Hassan Takabi October 20, 2009.

Trust and Semantic Attacks- Phishing Hassan Takabi October 20, 2009.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,

Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,

Similar presentations

Ads by Google