A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools.

Slides:

Advertisements

Similar presentations

10 Things You Can do to Secure Your PC Presented by Peter Nowak OIS Client Services Manager.

Advertisements

Extended validation SSL March 2007 Tim Moses (chair, CA / Browser Forum)

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

How It Applies In A Virtual World. Phishing Definition: n. To request confidential information over the Internet under false pretenses in order to fraudulently.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Internet Phishing Not the kind of Fishing you are used to.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Chapter 9: Configuring Internet Explorer. Internet Explorer Usability Features Reorganized user interface Instant Search box RSS support Tabbed browsing.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Does Domain Highlighting Help People Identify Phishing Sites? Eric Lin, Saul Greenberg Eileah Trotter, David Ma & John Aycock University of Calgary.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,

STAY SAFE ONLINE. STAY SAFE ONLINE! PLEASE MAKE SURE YOU LOGIN AT THE CORRECT BANK URL / ADDRESS 1.NEVER LOGIN VIA LINKS 2.NEVER REVEAL YOUR PIN.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

By: Daniel Krueger ITC 525: Computers for Educators Summer II 2010 Click Here to Begin.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Reliability & Desirability of Data

COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

URL Obscuring COEN 252 Computer Forensics  Thomas Schwarz, S.J

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Ch9QQ T F 1.Hacking is an example of unauthorized access. T F 2.A Trojan horse is a type of malware that masquerades as another type of program. T F 3.A.

1 Pertemuan 03 Ancaman dan Serangan Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.

Phishing A practical case study. What is phishing? Phishing involves fraudulently acquiring sensitive information (e.g. passwords, credit card details.

How Phishing Works Prof. Vipul Chudasama.

The spoofed . The spoofing The link appears as (i.e NOODLEBANK.com) But actually it links to

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

 Http  Edu  Net  Gov  Org These are just some of them without these pass the site by!

Detecting Phishing in s Srikanth Palla Ram Dantu University of North Texas, Denton.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

An Evaluation Of Extended Validation and Picture-in-Picture Phishing Attacks Presented by Hui (Henry) Fang Collin Jackson, Daniel R. Simon, Desney S. Tan,

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

1.  Usability study of phishing attacks & browser anti-phishing defenses – extended validation certificate.  27 Users in 3 groups classified 12 web.

Extra Credit Presentation: Allegra Earl CSCI 101 T 3:30.

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

Return to the PC Security web page Lesson 4: Increasing Web Browser Security.

QR Phishing Detection Aslihan Duman STM Savunma Teknolojileri Mühendislik ve Ticaret A.S. Role: S/T provider DS : Assurance and.

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

Remove [Browser Hijackers] For more information regarding [Browser Hijackers] Please Visit:

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.

The Secure Modern Desktop Keeping the Phish in the Sea.

WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.

Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.

Windows Tutorial 5 Protecting Your Computer

Presentation By :- ADARSH PILLAY

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

Setting and Upload Products

Network security threats

How to Check if a site's connection is secure ?

Starter What is identity theft?

CS 142 Lecture Notes: Security Attacks: Phishing

Strengthening Password-based Authentication

CS 142 Lecture Notes: Security Attacks: Phishing

CS 142 Lecture Notes: Security Attacks: Phishing

Teaching you NOT to fall for Phish

Wireless Spoofing Attacks on Mobile Devices

Chapter 9: Configuring Internet Explorer

Presentation transcript:

A Quick Insight Paper about phishing attacks based on usability study Users required to classify websites as fraudulent/legitimate using security tools Users divided into 3 groups to study effect of Extended Validation Certificates Phishing techniques - Picture-in-picture attack & Homograph attack included in study

The Threats o Picture-in-picture attack [1] o Homograph attack compared to What is a Phishing attack? Some Techniques of Phishing attack:

The Defences Phishing Filters The use of Extended Validation Certificates Security toolbars The use of HTTPS encryption (HTTP + SSL/TLS encryption)

The Usability Test 1. Participants familiarised themselves with websites they were tested on 2. Participants were then divided into 3 groups: a. The Trained group – Users had learnt about Extended Validation Certificates and other security features found in browsers such as the phishing filter. b. The Untrained group – Users were just shown Extended Validation Certificates but received no training on its meaning. c. The Controlled group – Users weren’t even shown Extended Validation Certificates and their tasks were modified as to not include the Extended Validation indicators 3. Participants were required to classify a sequence of websites as legitimate or fraudulent. The websites were divided into the following categories: a. The Real website. b. The Real website, but designed to induce confusion.

The Usability Test (continued...) c. Site with Homograph attack. d. Homograph site that triggers a warning. e. Site with a Picture-in-picture attack. f. A Picture-in-picture attack with mismatched browser colour scheme. g. A site with an IP address instead of domain name blocked by phishing filter.

Study Results

Results Discussion

Criticism

Appreciation Authors must have realised the cause of the flaw in their study and try to pass the message across The various security mechanisms do not guarantee safety or they are not accurate 100% of the time Authors do this on several counts throughout the report: “The lock icon in browsers, which indicates the presence of SSL/TLS encryption, does not ensure the site is trustworthy” “Extended validation, which turns the address bar green in Internet Explorer 7, also does not guarantee that the site is safe to do business with or that it complies with applicable laws” “Another approach to the password theft problem is a password manager these solutions can be vulnerable to picture-in-picture user interface spoofing”

Question If security mechanisms are not accurate 100% of the time, could we rely on them?