Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phishing and Trust. Agenda Questions? Questions? Phishing Phishing Project feedback Project feedback Trust Trust.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Phishing and Trust. Agenda Questions? Questions? Phishing Phishing Project feedback Project feedback Trust Trust."— Presentation transcript:

1 Phishing and Trust

2 Agenda Questions? Questions? Phishing Phishing Project feedback Project feedback Trust Trust

3 Phishing: the problem Statistics from June 2007 Anti-Phishing Working Group: http://www.antiphishing.org/ http://www.antiphishing.org/ Number of unique phishing reports received in June: 28888 Number of unique phishing sites received in June: 31709 Number of brands hijacked by phishing campaigns in June: 146 Number of brands comprising the top 80% of phishing campaigns in June: 14 Country hosting the most phishing websites in June: United States Average time online for site: 3.8 days Longest time online for site: 30 days 95.2% of attacks in Financial Services industry. Phishing sites now can also host keyloggers, trojans, and other malware

4 Not a lot of progress…

5 Phishing Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.Questions: What are the user interface issues involved in people falling for phishing attacks? What are the user interface issues involved in people falling for phishing attacks? What are the social issues involved? What are the social issues involved?

6 Why Phishing Works Lack of knowledge Lack of knowledge –Computer systems and security Visual deception Visual deception –Deceptive text, masking images, etc. Bounded attention Bounded attention –Lack of attention to security indicators or their absence User strategies: User strategies: –23%: website content only –36%: content and domain name only (address bar) –9%: above + “https:” –23%: above + padlock icon –9%: above + certificates Dhamija, R., J.D. Tygar, and M. Hearst. Proc. CHI, 2006, pp 581-590.

7 Solutions Improve browser to fix usability issues Improve browser to fix usability issues Toolbar / browser component to detect phishing sites Toolbar / browser component to detect phishing sites –Warn or prevent bad things from happening –IE7, Firefox 2.0, Netcraft, Google Safe Browsing, eBay toolbar, Earthlink, GeoTrust TrustWatch, Phishtank SiteChecker Train users Train users Modify website and strengthen authentication Modify website and strengthen authentication –List person by name –Use Sitekey Take care of spam? Take care of spam?

8 Tool: Earthlink toolbar

9 Compare: Firefox warning

10 User training What should you tell users? What should you tell users? Example: Anti-Phishing Phil Example: Anti-Phishing Phil –Study: compared using existing tutorials, new tutorial based on game, and playing game –All improved overall correctness, game was the best –All training decreased false negatives –Only game decreased false positives –Game better at teaching techniques to use, not just increasing attention http://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf http://cups.cs.cmu.edu/antiphishing_phil/ Example: http://www.microsoft.com/protect/yourself/phishing/identify.mspx

11 Improving authentication SiteKey: Bank of America’s approach SiteKey: Bank of America’s approach –A unique image + title you choose –Challenge questions if you don’t log in from a recognized computer –Still potentially susceptible to real-time, man-in-the-middle attacks (http://www.cr-labs.com/publications/SiteKey-20060718.pdf) Others? Others?

12 Social phishing Or spear fishing Or spear fishing –Appears to be legitimate email from employer, HR, friend, etc. –Data mined from social networking sites, employer information, etc. –Worse than plain phishing? Indiana study: 72% fell for Indiana study: 72% fell for –Similar to 80% from West Point Military Academy –Ethical considerations of studying social phishing?

13 Trust is fundamental to security Lack of trust results in systems being ill-used or used not at all Lack of trust results in systems being ill-used or used not at all Lack of understanding of trust results in wrong decisions or no decisions Lack of understanding of trust results in wrong decisions or no decisions Too much trust can be more dangerous than too little Too much trust can be more dangerous than too little –E.g. I can open any file attachment because I run anti-virus software

14 What are your strategies? Scenario: you are buying a product from a new site, what leads you to trust the site and buy from them? Scenario: you are buying a product from a new site, what leads you to trust the site and buy from them? Scenario: you are looking up medical information on a new site, what leads you to trust the site? Scenario: you are looking up medical information on a new site, what leads you to trust the site? Scenario: you consider downloading a new browser plug-in, what leads you to trust the plug-in and download? Scenario: you consider downloading a new browser plug-in, what leads you to trust the plug-in and download?

15 Definitions Book: “Trust concerns a positive expectation regarding the behavior of somebody or something in a situation that entails risk to the trusting party” Book: “Trust concerns a positive expectation regarding the behavior of somebody or something in a situation that entails risk to the trusting party” Miriam-Webster: “assured reliance on the integrity, ability, or character of a person or thing” Miriam-Webster: “assured reliance on the integrity, ability, or character of a person or thing”

16 Layers Dispositional trust Dispositional trust –Psychological disposition or personality trait to be trusting or not Learned trust Learned trust –A person’s general tendency to trust, or not to trust, as a result of experience Situational trust Situational trust –Basic tendencies are adjusted in response to situational cues

17 Processing strategies Heuristic approach making quick judgments from the obvious information Heuristic approach making quick judgments from the obvious information Systematic approach involving detailed analysis of information Systematic approach involving detailed analysis of information

18 Models summarization Increases trust Increases trust –Familiarity –Benevolence –Integrity –Comprehensive info –Shared value –Credibility –Good feedback –Reliability –Usability Decreases trust Decreases trust –Risk –Transaction cost –Uncertainty

19 Losing trust What are ways to damage trust? What are ways to damage trust? How can you repair damaged trust? How can you repair damaged trust?

20 Trust Design Guidelines 1. Ensure good ease of use. 2. Use attractive design. 3. Create a professional image – avoid spelling mistakes and other simple errors. 4. Don’t mix advertising and content – avoid sales pitches and banner advertisements. 5. Convey a “real-world” look and feel – for example, with use of high- quality photographs of real places and people. 6. Maximize the consistency, familiarity, or predictability of an interaction both in terms of process and visually. 7. Include seals of approval such as TRUSTe. 8. Provide explanations, justifying the advice or information given. 9. Include independent peer evaluation such as references from past and current users and independent message boards. 10. Provide clearly stated security and privacy statements, and also rights to compensation and returns. 11. Include alternative views, including good links to independent sites with the same business area. 12. Include background information such as indicators of expertise and patterns of past performance. 13. Clearly assign responsibilities (to the vendor and the customer). 14. Ensure that communication remains open and responsive, and offer order tracking or an alternative means of getting in touch. 15. Offer a personalized service that takes account of each client’s needs and preferences and reflects its social identity.

21 Credibility How is this different than trust? How is this different than trust? Four Types of Credibility Four Types of Credibility –Presumed credibility. –Reputed credibility. –Surface credibility. –Experienced credibility.

22 Stanford Guidelines for Web Credibility 1. Make it easy to verify the accuracy of the information on your site. 2. Show that there's a real organization behind your site. 3. Highlight the expertise in your organization and in the content and services you provide. 4. Show that honest and trustworthy people stand behind your site. 5. Make it easy to contact you. 6. Design your site so it looks professional (or is appropriate for your purpose). 7. Make your site easy to use – and useful. 8. Update your site's content often (at least show it's been reviewed recently). 9. Use restraint with any promotional content (e.g., ads, offers). 10. Avoid errors of all types, no matter how small they seem. Stanford Persuasive Technology Lab http://www.webcredibility.org/guidelines/

23 Food for thought What have you noticed websites doing to increase your trust? What have you noticed websites doing to increase your trust? Have you grown more or less trustworthy over time? General public? Have you grown more or less trustworthy over time? General public? Should computers (application designers) trust users? Should computers (application designers) trust users? –Should the system take over and prevent bad things from happening? When?

Download ppt "Phishing and Trust. Agenda Questions? Questions? Phishing Phishing Project feedback Project feedback Trust Trust."

Similar presentations

An Overview of Internet Credibility

An Overview of Internet Credibility
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Social Media for Business IFSA March 2013. Considering Your Options.

Social Media for Business IFSA March Considering Your Options.
Creating Trust Online Farrokh Alemi, Ph.D. 703 993 4226 September 12, 2004.

Creating Trust Online Farrokh Alemi, Ph.D September 12, 2004.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.

Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Trust and Privacy. Agenda Questions? Questions? Trust Trust More project time More project time Privacy Privacy.

Trust and Privacy. Agenda Questions? Questions? Trust Trust More project time More project time Privacy Privacy.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
User Interface Testing. Hall of Fame or Hall of Shame?  java.sun.com.

User Interface Testing. Hall of Fame or Hall of Shame?  java.sun.com.
Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.

Designing for security and privacy. Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments.
Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Safe Browsing Experience for your Home & Office M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation.
Inspection Methods. Inspection methods Heuristic evaluation Guidelines review Consistency inspections Standards inspections Features inspection Cognitive.

Inspection Methods. Inspection methods Heuristic evaluation Guidelines review Consistency inspections Standards inspections Features inspection Cognitive.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović

Similar presentations

Ads by Google