Usable Privacy and Security: Protecting People from Online Phishing Scams Alessandro Acquisti Lorrie Cranor Julie Downs Jason Hong Norman Sadeh Carnegie Mellon University
Everyday Security Problems Install this software?
Everyday Security Problems Setting File Permissions In 2003, one Senate Judiciary staffer found that files were readable to all users, rather than just to Democrats or Republicans See Reeder et al CHI 2008
Everyday Security Problems Many Laptops with Sensitive Data being Lost or Stolen
Costs of Unusable Privacy & Security High Spyware, viruses, worms Too many passwords!!! People not updating software with patches Firewalls, WiFi boxes, and other systems easily misconfigured Less potential adoption of ubicomp systems (e.g. location-based services)
Usable Privacy and Security “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Grand Challenges in Information Security & Assurance Computing Research Association (2003) More research needed on how “cultural and social influences can affect how people use computers and electronic information in ways that increase the risk of cybersecurity breaches.” - Grand Challenges for Engineering National Academy of Engineering (2008)
Everyday Privacy and Security Problem
This entire process known as phishing
Phishing is a Plague on the Internet Estimated $350m-$3b direct losses a year –Does not include damage to reputation, lost sales, etc –Does not include response costs (call centers, recovery) –Rapidly growing Spear-phishing and whaling attacks escalating –Steal sensitive corporate or military information
Phishing Becoming Pervasive Universities Online social networking sites (Facebook, MySpace) Social media (Twitter, World of Warcraft)
Project: Supporting Trust Decisions Goal: help people make better online trust decisions –Specifically in context of anti-phishing Large multi-disciplinary team project at CMU –Economics, computer science, public policy, human-computer interaction, social and decision sciences, machine learning, computer security
Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Automate where possible, support where necessary
Impact of Our Work Game teaching people about phish played 100k times, featured in over 20 media articles Study on browser warnings -> Internet Explorer 8 Our filter is labeling several million s per day Our evaluation of anti-phishing toolbars cited by several companies, presented to Anti-Phishing Working Group (APWG) PhishGuru embedded training undergone field trials at three companies, variant in use by large provider, and used in APWG’s takedown page
Our Multi-Pronged Approach Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm What do users know about phishing? Why do they fall for phish?
Interview Study Interviewed 40 Internet users (35 non-experts) “Mental models” interviews included role play and open ended questions Brief overview of results (see papers for details) J. Downs et al. Decision Strategies and Susceptibility to Phishing. Symposium on Usable Privacy and Security J. Downs et al. Behavioral Response to Phishing Risk. eCrime 2007.
Little Knowledge of Phishing Only about half knew meaning of the term “phishing” “Something to do with the band Phish, I take it.”
Little Attention Paid to URLs Only 55% of participants said they had ever noticed an unexpected or strange-looking URL Most did not consider them to be suspicious
Some Knowledge of Scams 55% of participants reported being cautious when asks for sensitive financial info –But very few reported being suspicious of asking for passwords Knowledge of financial phish reduced likelihood of falling for these scams –But did not transfer to other scams, such as an amazon.com password phish
Naive Evaluation Strategies The most frequent strategies don’t help much in identifying phish –This appears to be for me –It’s normal to hear from companies you do business with –Reputable companies will send s “I will probably give them the information that they asked for. And I would assume that I had already given them that information at some point so I will feel comfortable giving it to them again.”
Summary of Findings People generally not good at identifying scams they haven’t specifically seen before People don’t use good strategies to protect themselves
Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists How to train people not to fall for phish?
PhishGuru Embedded Training A lot of training materials are boring and/or ignored Can we “train” people during their normal use of to avoid phishing attacks? –Periodically, people get sent a training by admins –Training looks same as a phishing attack –If person falls for it, intervention warns and highlights what cues to look for in succinct and engaging format
Everyday Privacy and Security Problem
Learning science principles Learning by Doing Immediate feedback Conceptual-Procedural Knowledge
Evaluation of PhishGuru Is embedded training effective? Yes! –Study 1: Lab study, 30 participants –Study 2: Lab study, 42 participants –Study 3: Field evaluation at company, ~300 participants –Study 4: Ongoing at CMU, ~500 participants Will highlight first two studies P. Kumaraguru et al. Protecting People from Phishing: The Design and Evaluation of an Embedded Training System. CHI P. Kumaraguru et al. Getting Users to Pay Attention to Anti-Phishing Education: Evaluation of Retention and Transfer. eCrime 2007.
Intervention #1 – Diagram
Explains why they are seeing this message
Intervention #1 – Diagram Explains what a phishing scam is
Intervention #1 – Diagram Explains how to identify a phishing scam
Intervention #1 – Diagram Explains simple things you can do to protect self
Intervention #2 – Comic Strip
Embedded Training Evaluation #1 Lab study comparing our prototypes to standard security notices –Group A – Standard eBay, PayPal notices –Group B – Diagram that explains phishing –Group C – Comic strip that tells a story 10 participants in each condition (30 total) –Screened so we only have novices Go through 19 s, 4 phishing attacks scattered throughout, 2 training s too –Role play as Bobby Smith at Cognix Inc
Embedded Training Results
Existing practice of security notices not effective Diagram intervention somewhat better –Though people still fell for final phish Comic strip intervention worked best –Statistically significant –Combination of less text, graphics, story
Evaluation #2 New questions: –Have to fall for phishing to be effective? –How well do people retain knowledge? Roughly same experimental protocol as before –Role play as Bobby Smith at Cognix Inc, go thru 16 s Embedded condition means have to fall for our Non-embedded means we just send the comic strip Suspicion means got a warning about phish from friend Control means they got no warnings or training –Also had people come back after 1 week
Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?
Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?
Results of Evaluation #2 Have to fall for phishing to be effective? How well do people retain knowledge after a week?
Discussion of PhishGuru Act of falling for phish is teachable moment –Just sending intervention not effective PhishGuru can teach people to identify phish better –People retain the knowledge well –People aren’t resentful, many happy to have learned 68 out of 85 surveyed said they recommend CMU continue doing this sort of training in future “I really liked the idea of sending CMU students fake phishing s and then saying to them, essentially, HEY! You could've just gotten scammed! You should be more careful -- here's how....”
APWG Landing Page CMU helped Anti-Phishing Working Group develop landing page for phishing sites taken down Also a new data source for us –How long people keep going to phishing sites, where from
Phishguru.org Our site to teach general public more about phishing
Anti-Phishing Phil A game to teach people not to fall for phish –Embedded training about , this game about web browser –Based on learning science Goals –How to parse URLs –Where to look for URLs –Use search engines for help Try the game! – S. Sheng et al. Anti-Phishing Phil: The Design and Evaluation of a Game That Teaches People Not to Fall for Phish. In Proceedings of the 2007 Symposium On Usable Privacy and Security, Pittsburgh, PA, July 18-20, 2007.
Anti-Phishing Phil
Evaluation of Anti-Phishing Phil Is Phil effective? Study 1: 56 people in lab study Study 1 protocol –Label 10 web sites as phish or legitimate –For 15 minutes (four conditions): Read printed materials on training Read printed copies of Phil’s tutorials Play Anti-Phishing Phil Check or play solitaire (control) –Label 10 more web sites
Anti-Phishing Phil: Study 1 No statistical difference in false negatives (calling phish legitimate) between first three conditions
Anti-Phishing Phil: Study 1 Our game has significantly fewer false positives (labeling legitimate site as phish)
Evaluation of Anti-Phishing Phil Study 2: 4517 participants in field trial –Randomly selected from people Conditions –Control: Label 12 sites then play game –Game: Label 6 sites, play game, then label 6 more, then after 7 days, label 6 more (18 total) Participants –2021 people in game condition, 674 did retention portion
Anti-Phishing Phil: Study 2 Novices showed most improvement in false negatives (calling phish legitimate)
Anti-Phishing Phil: Study 2 Improvement all around for false positives
Discussion of Anti-Phishing Phil For false negatives, Phil at least as effective as existing training, but much more fun Much better in terms of false positive rate –Don’t want people to delete all mails from Citibank –Just telling people about phish tends to make them paranoid, without ability to differentiate
Outline Human side –Interviews to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm Do people see, understand, and believe web browser warnings?
Screenshots Internet Explorer – Passive Warning
Screenshots Internet Explorer – Active Block
Screenshots Mozilla FireFox – Active Block
How Effective are these Warnings? Tested four conditions –FireFox Active Block –IE Active Block –IE Passive Warning –Control (no warnings or blocks) “Shopping Study” –Setup some fake phishing pages and added to blacklists –We phished users after purchases (2 phish/user) –Real accounts and personal information S. Egelman, L. Cranor, and J. Hong. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. CHI 2008.
How Effective are these Warnings? Almost everyone clicked, even those with technical backgrounds
How Effective are these Warnings?
Discussion of Phish Warnings Nearly everyone will fall for highly contextual phish Passive IE warning failed for many reasons –Didn’t interrupt the main task –Slow to appear (up to 5 seconds) –Not clear what the right action was –Looked too much like other ignorable warnings (habituation) –Bug in implementation, any keystroke dismisses
Screenshots Internet Explorer – Passive Warning
Discussion of Phish Warnings Active IE warnings –Most saw but did not believe it “Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad” –Some element of habituation (looks like other warnings) –Saw two pathological cases
Screenshots Internet Explorer – Active Block
Internet Explorer 8 Re-design
A Science of Warnings See the warning? Understand? Believe it? Motivated? Refining this model for computer warnings
Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we automatically detect phish s?
PILFER Anti-Phishing Filter Goal: Create filter that detects phishing s –Spam filters well-explored, but how good for phishing? –Can we do better? Example heuristics combined in Random Forest –IP addresses in link ( –Age of linked-to domains (younger domains likely phishing) –Non-matching URLs (ex. most links point to PayPal) –“Click here to restore your account” I. Fette, N. Sadeh, A. Tomasic. Learning to Detect Phishing s. In W W W 2007.
PILFER Evaluation PILFER better at detecting phish, few false positives Implemented as a SpamAssassin plugin Large-scale field trial with underway –Millions of s per day –Currently evaluating effectiveness of filter
Outline Human side –Interviews and surveys to understand decision-making –PhishGuru embedded training –Anti-Phishing Phil game –Understanding effectiveness of browser warnings Computer side –PILFER anti-phishing filter –CANTINA web anti-phishing algorithm –Machine learning of blacklists Can we improve phish detection of web sites?
Detecting Phishing Web Sites Industry uses blacklists to label phishing sites –But blacklists slow to new attacks Idea: Use search engines –Scammers often directly copy web pages –But fake pages should have low PageRank on search engines –Generate text-based “fingerprint” of web page keywords and send to a search engine Y. Zhang, S. Egelman, L. Cranor, and J. Hong Phinding Phish: Evaluating Anti-Phishing Tools. In NDSS Y. Zhang, J. Hong, and L. Cranor. CANTINA: A content-based approach to detecting phishing web sites. In WWW G. Xiang and J. Hong. A Hybrid Phish Detection Approach by Identity Discovery and Keywords Retrieval. In WWW 2009.
Robust Hyperlinks Developed by Phelps and Wilensky to solve “404 not found” problem Key idea was to add a lexical signature to URLs that could be fed to a search engine if URL failed –Ex. How to generate signature? –Found that TF-IDF was fairly effective Informal evaluation found five words was sufficient for most web pages
Fake eBay, user, sign, help, forgot
Real eBay, user, sign, help, forgot
Evaluating CANTINA PhishTank
Our Ongoing Work in Anti-Phishing Machine Learning of Blacklists –Given blacklists of URLs, can we apply content-based and URL-based approaches to accurately detect new phish? Blacklists can be thought of as labeled data –Early results show 87% true positive rate and 0.04% false positives, far better than any other heuristics Social Web + Machine Learning –PhishTank is a community site where people can submit and verify phish, five votes to verify –Can we use machine learning approaches to augment people’s votes? –Currently collecting data through Mechanical Turk
Summary Usable Privacy and Security –Grand challenge for computer science Whirlwind tour of our work on anti-phishing –Human side: effective training mechanisms –Computer side: better algorithms for detecting phish Lots more info at cups.cs.cmu.edu
Acknowledgments Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Norman Sadeh Anthony Tomasic Umut Topkara Supported by NSF, ARO, CyLab, Portugal Telecom Serge Egelman Ian Fette Ponnurangam Kumaraguru Bryant Magnien Elizabeth Nunge Yong Rhee Steve Sheng Yue Zhang
C MU U sable P rivacy and S ecurity Laboratory
Everyday Security Problems