Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.

Published byBeryl McGee Modified over 8 years ago

Similar presentations

Presentation on theme: "A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools."— Presentation transcript:

1

2 A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools Users divided into 3 groups to study effect of Extended Validation Certificates Phishing techniques - Picture-in-picture attack & Homograph attack included in study

3 The Threats o Picture-in-picture attack [1] o Homograph attack www.westpac.com compared to www.vvestpac.com What is a Phishing attack? Some Techniques of Phishing attack:

4 The Defences Phishing Filters The use of Extended Validation Certificates Security toolbars The use of HTTPS encryption (HTTP + SSL/TLS encryption)

5 The Usability Test 1. Participants familiarised themselves with websites they were tested on 2. Participants were then divided into 3 groups: a. The Trained group – Users had learnt about Extended Validation Certificates and other security features found in browsers such as the phishing filter. b. The Untrained group – Users were just shown Extended Validation Certificates but received no training on its meaning. c. The Controlled group – Users weren’t even shown Extended Validation Certificates and their tasks were modified as to not include the Extended Validation indicators 3. Participants were required to classify a sequence of websites as legitimate or fraudulent. The websites were divided into the following categories: a. The Real website. b. The Real website, but designed to induce confusion.

6 The Usability Test (continued...) c. Site with Homograph attack. d. Homograph site that triggers a warning. e. Site with a Picture-in-picture attack. f. A Picture-in-picture attack with mismatched browser colour scheme. g. A site with an IP address instead of domain name blocked by phishing filter.

7 Study Results

8 Results Discussion

9 Criticism

10 Appreciation Authors must have realised the cause of the flaw in their study and try to pass the message across The various security mechanisms do not guarantee safety or they are not accurate 100% of the time Authors do this on several counts throughout the report: “The lock icon in browsers, which indicates the presence of SSL/TLS encryption, does not ensure the site is trustworthy” “Extended validation, which turns the address bar green in Internet Explorer 7, also does not guarantee that the site is safe to do business with or that it complies with applicable laws” “Another approach to the password theft problem is a password manager...................these solutions can be vulnerable to picture-in-picture user interface spoofing”

11 Question If security mechanisms are not accurate 100% of the time, could we rely on them?

Download ppt "A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools."

Similar presentations

10 Things You Can do to Secure Your PC Presented by Peter Nowak OIS Client Services Manager.

10 Things You Can do to Secure Your PC Presented by Peter Nowak OIS Client Services Manager.
Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.

Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,

Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,
STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA EMAIL LINKS 2.NEVER REVEAL YOUR PIN.

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Similar presentations

Ads by Google