Presentation is loading. Please wait.

Presentation is loading. Please wait.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion."— Presentation transcript:

1 10/20/2009 Loomi Liao

2  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion 2

3  A semantic attack : it exploits the gap between user’s intentions and the system’s operation. 3

4  A site’s appearance does not reliably reflect the site’s true identity.  Browser fails to give appropriate protection to the sensitive data submission. User Look and Feel Semantic meaning of its content Browser Correct URL SSL Certificate Site registration information 4

5  Locations of warning indicators  Peripheral area or centrally displayed web page  Not user’s primary goal  Sloppy but common web practices  Use IP addresses instead of hostnames  Use a domain name that is different from their brand names  Use non-SSL protected login pages  No good alternatives suggested 5

6  Stop phishing at the email level  Use security toolbars  Visually differentiate the phishing sites from the spoofed legitimate sites  Two-factor authentication 6

7  Get the User's Intention  what is the data?  where will it go?  Integrate Security into the Workflow  Disable the web form fields so that the user is forced to activate Web Wallet  Make itself the only affordance for input  Makes user explicitly acknowledge and indicate their intended site 7

8  SSL certificate  Trusted third-party certificates  Site popularity  Site registration information  Site category information 8

9 1. Form Annotation 2. Security Key 3. Browser Sidebar 4. Confirmation Interface 5. Negative Visual Feedback Flying icon Zooming character 9

10  Normal Phishing Attack  Undetected-form Attack  Online-keyboard Attack  Fake-wallet Attack  Fake-suggestion Attack 10

11 Spoof rates with and without the Web Wallet protection Spoof rates of the five attacks in the Web Wallet test 11

12 12

13 Effectively prevent Normal phishing attack Online-keyboard attack Fake-suggestion attack Fail to effectively prevent Undetected-form attack Fake-wallet attack Negative visual feedback fails 13

14  Can users trust Web Wallet?  Spoofed Web Wallet  Fail to give correct suggestions  Can security task integrate into the workflow?  Forcing users to use it by disabling the sensitive input field  Asking users to select their intended site 14

15  M. Wu, R. Miller, and G. Little. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the Symposium On Usable Privacy and Security 2006, Pittsburgh, PA, July 12-14, 2006.Web Wallet: Preventing Phishing Attacks by Revealing User Intentions 15

16 16

Download ppt "10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion."

Similar presentations

The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.

The Dirty Little Secret of the Internet Jothy Rosenberg Chief Technology Officer & Co-founder November 2001.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Amir Herzberg and Ronen Margulies Bar Ilan University 1.

Amir Herzberg and Ronen Margulies Bar Ilan University 1.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

Similar presentations

Ads by Google