Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie."— Presentation transcript:

1 Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie Mellon University

2 Everyday Security Problems Install this software?

3 Everyday Security Problems Setting File Permissions In 2003, one Senate Judiciary staffer found that files were readable to all users, rather than just to Democrats or Republicans See Reeder et al CHI 2008

4 Everyday Security Problems Many Laptops with Sensitive Data being Lost or Stolen

5 Costs of Unusable Privacy & Security High Spyware, viruses, worms Too many passwords!!! People not updating software with patches Firewalls, WiFi boxes, and other systems easily misconfigured Less potential adoption of ubicomp systems (e.g. location-based services)

6 Usable Privacy and Security “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Grand Challenges in Information Security & Assurance Computing Research Association (2003) More research needed on how “cultural and social influences can affect how people use computers and electronic information in ways that increase the risk of cybersecurity breaches.” - Grand Challenges for Engineering National Academy of Engineering (2008)

7 Everyday Privacy and Security Problem

8 This entire process known as phishing

9 Phishing is a Plague on the Internet Estimated $350m-$3b direct losses a year –Does not include damage to reputation, lost sales, etc –Does not include response costs (call centers, recovery) –Rapidly growing Spear-phishing and whaling attacks escalating –Steal sensitive corporate or military information

10

11 Phishing Becoming Pervasive Universities Online social networking sites (Facebook, MySpace) Social media (Twitter, World of Warcraft)

12 Project: Supporting Trust Decisions Goal: help people make better online trust decisions –Specifically in context of anti-phishing Large multi-disciplinary team project at CMU –Economics, computer science, public policy, human-computer interaction, social and decision sciences, machine learning, computer security

13 Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Automate where possible, support where necessary

14 Impact of Our Work Game teaching people about phish played 100k times, featured in over 20 media articles Study on browser warnings -> Internet Explorer 8 Our filter is labeling several million emails per day Our evaluation of anti-phishing toolbars cited by several companies, presented to Anti-Phishing Working Group (APWG) PhishGuru embedded training undergone field trials at three companies, variant in use by large email provider, and used in APWG’s takedown page

15 Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm What do users know about phishing? Why do they fall for phish?

16 Interview Study Interviewed 40 Internet users (35 non-experts) “Mental models” interviews included email role play and open ended questions Brief overview of results (see papers for details) J. Downs et al. Decision Strategies and Susceptibility to Phishing. Symposium on Usable Privacy and Security 2006. J. Downs et al. Behavioral Response to Phishing Risk. eCrime 2007.

17 Little Knowledge of Phishing Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”

18 Little Attention Paid to URLs Only 55% of participants said they had ever noticed an unexpected or strange-looking URL Most did not consider them to be suspicious

19 Some Knowledge of Scams 55% of participants reported being cautious when email asks for sensitive financial info –But very few reported being suspicious of email asking for passwords Knowledge of financial phish reduced likelihood of falling for these scams –But did not transfer to other scams, such as an amazon.com password phish

20 Naive Evaluation Strategies The most frequent strategies don’t help much in identifying phish –This email appears to be for me –It’s normal to hear from companies you do business with –Reputable companies will send emails “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”

21 Summary of Findings People generally not good at identifying scams they haven’t specifically seen before People don’t use good strategies to protect themselves

22 Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists How to train people not to fall for phish?

23 PhishGuru Embedded Training A lot of training materials are boring and/or ignored Can we “train” people during their normal use of email to avoid phishing attacks? –Periodically, people get sent a training email by admins –Training email looks same as a phishing attack –If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format

24 Everyday Privacy and Security Problem

25

26 Learning science principles Learning by Doing Immediate feedback Conceptual-Procedural Knowledge

27 Evaluation of PhishGuru Is embedded training effective? Yes! –Study 1: Lab study, 30 participants –Study 2: Lab study, 42 participants –Study 3: Field evaluation at company, ~300 participants –Study 4: Ongoing at CMU, ~500 participants Will highlight first two studies P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. CHI 2007. P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.

28 Intervention #1 – Diagram

29 Explains why they are seeing this message

30 Intervention #1 – Diagram Explains what a phishing scam is

31 Intervention #1 – Diagram Explains how to identify a phishing scam

32 Intervention #1 – Diagram Explains simple things you can do to protect self

33 Intervention #2 – Comic Strip

34

35

36 Embedded Training Evaluation #1 Lab study comparing our prototypes to standard security notices –Group A – Standard eBay, PayPal notices –Group B – Diagram that explains phishing –Group C – Comic strip that tells a story 10 participants in each condition (30 total) –Screened so we only have novices Go through 19 emails, 4 phishing attacks scattered throughout, 2 training emails too –Role play as Bobby Smith at Cognix Inc

37 Embedded Training Results

38 Existing practice of security notices not effective Diagram intervention somewhat better –Though people still fell for final phish Comic strip intervention worked best –Statistically significant –Combination of less text, graphics, story

39 Evaluation #2 New questions: –Have to fall for phishing email to be effective? –How well do people retain knowledge? Roughly same experimental protocol as before –Role play as Bobby Smith at Cognix Inc, go thru 16 emails Embedded condition means have to fall for our email Non-embedded means we just send the comic strip Suspicion means got a warning about phish from friend Control means they got no warnings or training –Also had people come back after 1 week

40

41 Results of Evaluation #2 Have to fall for phishing email to be effective? How well do people retain knowledge after a week?

42 Results of Evaluation #2 Have to fall for phishing email to be effective? How well do people retain knowledge after a week?

43 Results of Evaluation #2 Have to fall for phishing email to be effective? How well do people retain knowledge after a week?

44 Discussion of PhishGuru Act of falling for phish is teachable moment –Just sending intervention not effective PhishGuru can teach people to identify phish better –People retain the knowledge well –People aren’t resentful, many happy to have learned 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future “I really liked the idea of sending CMU students fake phishing emails and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”

45 APWG Landing Page CMU helped Anti-Phishing Working Group develop landing page for phishing sites taken down Also a new data source for us –How long people keep going to phishing sites, where from

46 Phishguru.org Our site to teach general public more about phishing

47 Anti-Phishing Phil A game to teach people not to fall for phish –Embedded training about email, this game about web browser –Based on learning science Goals –How to parse URLs –Where to look for URLs –Use search engines for help Try the game! –http://cups.cs.cmu.edu/antiphishing_philhttp://cups.cs.cmu.edu/antiphishing_phil S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.

48 Anti-Phishing Phil

49

50

51

52

53

54 Evaluation of Anti-Phishing Phil Is Phil effective? Study 1: 56 people in lab study Study 1 protocol –Label 10 web sites as phish or legitimate –For 15 minutes (four conditions): Read printed materials on training Read printed copies of Phil’s tutorials Play Anti-Phishing Phil Check email or play solitaire (control) –Label 10 more web sites

55 Anti-Phishing Phil: Study 1 No statistical difference in false negatives (calling phish legitimate) between first three conditions

56 Anti-Phishing Phil: Study 1 Our game has significantly fewer false positives (labeling legitimate site as phish)

57 Evaluation of Anti-Phishing Phil Study 2: 4517 participants in field trial –Randomly selected from 80000 people Conditions –Control: Label 12 sites then play game –Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) Participants –2021 people in game condition, 674 did retention portion

58 Anti-Phishing Phil: Study 2 Novices showed most improvement in false negatives (calling phish legitimate)

59 Anti-Phishing Phil: Study 2 Improvement all around for false positives

60 Discussion of Anti-Phishing Phil For false negatives, Phil at least as effective as existing training, but much more fun Much better in terms of false positive rate –Don’t want people to delete all mails from Citibank –Just telling people about phish tends to make them paranoid, without ability to differentiate

61 Outline Human side –Interviews to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm Do people see, understand, and believe web browser warnings?

62 Screenshots Internet Explorer – Passive Warning

63 Screenshots Internet Explorer – Active Block

64 Screenshots Mozilla FireFox – Active Block

65 How Effective are these Warnings? Tested four conditions –FireFox Active Block –IE Active Block –IE Passive Warning –Control (no warnings or blocks) “Shopping Study” –Setup some fake phishing pages and added to blacklists –We phished users after purchases (2 phish/user) –Real email accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.

66 How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds

67 How Effective are these Warnings?

68 Discussion of Phish Warnings Nearly everyone will fall for highly contextual phish Passive IE warning failed for many reasons –Didn’t interrupt the main task –Slow to appear (up to 5 seconds) –Not clear what the right action was –Looked too much like other ignorable warnings (habituation) –Bug in implementation, any keystroke dismisses

69 Screenshots Internet Explorer – Passive Warning

70 Discussion of Phish Warnings Active IE warnings –Most saw but did not believe it “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” –Some element of habituation (looks like other warnings) –Saw two pathological cases

71 Screenshots Internet Explorer – Active Block

72 Internet Explorer 8 Re-design

73 A Science of Warnings See the warning? Understand? Believe it? Motivated? Refining this model for computer warnings

74 Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we automatically detect phish emails?

75 PILFER Email Anti-Phishing Filter Goal: Create email filter that detects phishing emails –Spam filters well-explored, but how good for phishing? –Can we do better? Example heuristics combined in Random Forest –IP addresses in link (http://128.23.34.45/blah)http://128.23.34.45/blah –Age of linked-to domains (younger domains likely phishing) –Non-matching URLs (ex. most links point to PayPal) –“Click here to restore your account” I. Fette, N. Sadeh, A. Tomasic. Learning to Detect Phishing Emails. In W W W 2007.

76 PILFER Evaluation PILFER better at detecting phish, few false positives Implemented as a SpamAssassin plugin Large-scale field trial with underway –Millions of emails per day –Currently evaluating effectiveness of filter

77 Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER email anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we improve phish detection of web sites?

78 Detecting Phishing Web Sites Industry uses blacklists to label phishing sites –But blacklists slow to new attacks Idea: Use search engines –Scammers often directly copy web pages –But fake pages should have low PageRank on search engines –Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS 2007. Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW 2007. G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.

79 Robust Hyperlinks Developed by Phelps and Wilensky to solve “404 not found” problem Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed –Ex. http://abc.com/page.html?sig=“word1+word2+...+word5”http://abc.com/page.html?sig=“word1+word2+...+word5 How to generate signature? –Found that TF-IDF was fairly effective Informal evaluation found five words was sufficient for most web pages

80 Fake eBay, user, sign, help, forgot

81 Real eBay, user, sign, help, forgot

82

83

84 Evaluating CANTINA PhishTank

85 Our Ongoing Work in Anti-Phishing Machine Learning of Blacklists –Given blacklists of URLs, can we apply content-based and URL-based approaches to accurately detect new phish? Blacklists can be thought of as labeled data –Early results show 87% true positive rate and 0.04% false positives, far better than any other heuristics Social Web + Machine Learning –PhishTank is a community site where people can submit and verify phish, five votes to verify –Can we use machine learning approaches to augment people’s votes? –Currently collecting data through Mechanical Turk

86 Summary Usable Privacy and Security –Grand challenge for computer science Whirlwind tour of our work on anti-phishing –Human side: effective training mechanisms –Computer side: better algorithms for detecting phish Lots more info at cups.cs.cmu.edu

87 Acknowledgments Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Norman Sadeh Anthony Tomasic Umut Topkara Supported by NSF, ARO, CyLab, Portugal Telecom Serge Egelman Ian Fette Ponnurangam Kumaraguru Bryant Magnien Elizabeth Nunge Yong Rhee Steve Sheng Yue Zhang

88 C MU U sable P rivacy and S ecurity Laboratory http://cups.cs.cmu.edu/

89

90 Everyday Security Problems

Download ppt "Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie."

Similar presentations

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.

CSCD 303 Essential Computer Security Winter 2014 Lecture 3 - Social Engineering1 Phishing Reading: See links at end of lecture.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)

The Importance of Being Earnest [in Security Warnings] Serge Egelman (UC Berkeley) Stuart Schechter (Microsoft Research)
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University.

Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University.
Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.

Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong 1 User Studies Motivation January.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.

Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.
Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.

Usable Privacy and Security Carnegie Mellon University Spring 2006 Cranor/Hong/Reiter 1 Course Overview January.
CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.

CyLab Usable Privacy and Security Laboratory C yLab U sable P rivacy and S ecurity Laboratory Statistical.
Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.

Usable Privacy and Security Carnegie Mellon University Spring 2008 Lorrie Cranor 1 Designing user studies February.
C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.

C MU U sable P rivacy and S ecurity Laboratory Making privacy visible Lorrie Faith Cranor October 19, 2007.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

Similar presentations

Ads by Google