Phishing and Trust

Agenda Questions? Questions? Phishing Phishing Project feedback Project feedback Trust Trust

Phishing: the problem Statistics from June 2007 Anti-Phishing Working Group: Number of unique phishing reports received in June: Number of unique phishing sites received in June: Number of brands hijacked by phishing campaigns in June: 146 Number of brands comprising the top 80% of phishing campaigns in June: 14 Country hosting the most phishing websites in June: United States Average time online for site: 3.8 days Longest time online for site: 30 days 95.2% of attacks in Financial Services industry. Phishing sites now can also host keyloggers, trojans, and other malware

Not a lot of progress…

Phishing Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.Questions: What are the user interface issues involved in people falling for phishing attacks? What are the user interface issues involved in people falling for phishing attacks? What are the social issues involved? What are the social issues involved?

Why Phishing Works Lack of knowledge Lack of knowledge –Computer systems and security Visual deception Visual deception –Deceptive text, masking images, etc. Bounded attention Bounded attention –Lack of attention to security indicators or their absence User strategies: User strategies: –23%: website content only –36%: content and domain name only (address bar) –9%: above + “ –23%: above + padlock icon –9%: above + certificates Dhamija, R., J.D. Tygar, and M. Hearst. Proc. CHI, 2006, pp

Solutions Improve browser to fix usability issues Improve browser to fix usability issues Toolbar / browser component to detect phishing sites Toolbar / browser component to detect phishing sites –Warn or prevent bad things from happening –IE7, Firefox 2.0, Netcraft, Google Safe Browsing, eBay toolbar, Earthlink, GeoTrust TrustWatch, Phishtank SiteChecker Train users Train users Modify website and strengthen authentication Modify website and strengthen authentication –List person by name –Use Sitekey Take care of spam? Take care of spam?

Tool: Earthlink toolbar

Compare: Firefox warning

User training What should you tell users? What should you tell users? Example: Anti-Phishing Phil Example: Anti-Phishing Phil –Study: compared using existing tutorials, new tutorial based on game, and playing game –All improved overall correctness, game was the best –All training decreased false negatives –Only game decreased false positives –Game better at teaching techniques to use, not just increasing attention Example:

Improving authentication SiteKey: Bank of America’s approach SiteKey: Bank of America’s approach –A unique image + title you choose –Challenge questions if you don’t log in from a recognized computer –Still potentially susceptible to real-time, man-in-the-middle attacks ( Others? Others?

Social phishing Or spear fishing Or spear fishing –Appears to be legitimate from employer, HR, friend, etc. –Data mined from social networking sites, employer information, etc. –Worse than plain phishing? Indiana study: 72% fell for Indiana study: 72% fell for –Similar to 80% from West Point Military Academy –Ethical considerations of studying social phishing?

Trust is fundamental to security Lack of trust results in systems being ill-used or used not at all Lack of trust results in systems being ill-used or used not at all Lack of understanding of trust results in wrong decisions or no decisions Lack of understanding of trust results in wrong decisions or no decisions Too much trust can be more dangerous than too little Too much trust can be more dangerous than too little –E.g. I can open any file attachment because I run anti-virus software

What are your strategies? Scenario: you are buying a product from a new site, what leads you to trust the site and buy from them? Scenario: you are buying a product from a new site, what leads you to trust the site and buy from them? Scenario: you are looking up medical information on a new site, what leads you to trust the site? Scenario: you are looking up medical information on a new site, what leads you to trust the site? Scenario: you consider downloading a new browser plug-in, what leads you to trust the plug-in and download? Scenario: you consider downloading a new browser plug-in, what leads you to trust the plug-in and download?

Definitions Book: “Trust concerns a positive expectation regarding the behavior of somebody or something in a situation that entails risk to the trusting party” Book: “Trust concerns a positive expectation regarding the behavior of somebody or something in a situation that entails risk to the trusting party” Miriam-Webster: “assured reliance on the integrity, ability, or character of a person or thing” Miriam-Webster: “assured reliance on the integrity, ability, or character of a person or thing”

Layers Dispositional trust Dispositional trust –Psychological disposition or personality trait to be trusting or not Learned trust Learned trust –A person’s general tendency to trust, or not to trust, as a result of experience Situational trust Situational trust –Basic tendencies are adjusted in response to situational cues

Processing strategies Heuristic approach making quick judgments from the obvious information Heuristic approach making quick judgments from the obvious information Systematic approach involving detailed analysis of information Systematic approach involving detailed analysis of information

Models summarization Increases trust Increases trust –Familiarity –Benevolence –Integrity –Comprehensive info –Shared value –Credibility –Good feedback –Reliability –Usability Decreases trust Decreases trust –Risk –Transaction cost –Uncertainty

Losing trust What are ways to damage trust? What are ways to damage trust? How can you repair damaged trust? How can you repair damaged trust?

Trust Design Guidelines 1. Ensure good ease of use. 2. Use attractive design. 3. Create a professional image – avoid spelling mistakes and other simple errors. 4. Don’t mix advertising and content – avoid sales pitches and banner advertisements. 5. Convey a “real-world” look and feel – for example, with use of high- quality photographs of real places and people. 6. Maximize the consistency, familiarity, or predictability of an interaction both in terms of process and visually. 7. Include seals of approval such as TRUSTe. 8. Provide explanations, justifying the advice or information given. 9. Include independent peer evaluation such as references from past and current users and independent message boards. 10. Provide clearly stated security and privacy statements, and also rights to compensation and returns. 11. Include alternative views, including good links to independent sites with the same business area. 12. Include background information such as indicators of expertise and patterns of past performance. 13. Clearly assign responsibilities (to the vendor and the customer). 14. Ensure that communication remains open and responsive, and offer order tracking or an alternative means of getting in touch. 15. Offer a personalized service that takes account of each client’s needs and preferences and reflects its social identity.

Credibility How is this different than trust? How is this different than trust? Four Types of Credibility Four Types of Credibility –Presumed credibility. –Reputed credibility. –Surface credibility. –Experienced credibility.

Stanford Guidelines for Web Credibility 1. Make it easy to verify the accuracy of the information on your site. 2. Show that there's a real organization behind your site. 3. Highlight the expertise in your organization and in the content and services you provide. 4. Show that honest and trustworthy people stand behind your site. 5. Make it easy to contact you. 6. Design your site so it looks professional (or is appropriate for your purpose). 7. Make your site easy to use – and useful. 8. Update your site's content often (at least show it's been reviewed recently). 9. Use restraint with any promotional content (e.g., ads, offers). 10. Avoid errors of all types, no matter how small they seem. Stanford Persuasive Technology Lab

Food for thought What have you noticed websites doing to increase your trust? What have you noticed websites doing to increase your trust? Have you grown more or less trustworthy over time? General public? Have you grown more or less trustworthy over time? General public? Should computers (application designers) trust users? Should computers (application designers) trust users? –Should the system take over and prevent bad things from happening? When?