SlideShare une entreprise Scribd logo

Do security toolbars actually prevent phishing attacks

Pankaj Saharan
Pankaj Saharan

Analysis of security toolbars in prevention of phishing attacks

Technologie
1  sur  22
Do Security Toolbars Actually Prevent Phishing Attacks (Written by: Min Wu, Robert C. Miller, Simson L. Garfinkel) Pankaj Saharan Helsinki University of Technology
Agenda • • • • • • • Introduction Why Phishing works Types of phishing attacks One solution: Security toolbars Initial design issues User studies Conclusions and recommendations
Introduction • Phishing attacks typically use legitimatelooking but fake emails and websites to deceive users into disclosing personal or financial information to the attacker • A significant threat to Internet users today • Phishing is a model problem for illustrating usability concerns of privacy and security
Why Phishing works?? • • • • • Human Behavior Lack of knowledge Lack of attention Visual deception …..
Types of phishing attacks Similar-name attack: One way that users authenticate web sites is by examining the URL displayed in the address bar, attackers can use a hostname that bears a superficial similarity to the imitated site’s hostname. For example, www.bestbuy.com.ww2.us to spoof bestbuy.com. IP-address attack: Another way to obscure a server’s identity is to display it as an IP address, e.g., http://212.85.153.6/ to spoof bestbuy.com. Hijacked-server attack: Attackers sometimes hijack a server at a legitimate company and then use the server to host phishing attacks. For example, hijacked site www.btinternet.com to spoof bestbuy.com. Popup-window attack: A popup-window attack displays the real site in the browser but puts a borderless window from the phishing site on top to request the user’s personal information. PayPal attack: Unlike the other attacks, which simulate man-in-the-middle behavior while displaying the real web site, this attack requests not only a PayPal username and password, but credit card and bank account information.
One solution: Security Toolbars • Security toolbars in a web browser show security related information about a website to help users detect phishing attacks Some commonly used security toolbars are: • Spoofstick: It displays the website’s real domain name in order to expose phishing sites that obscure their domain name e.g for spoof site www.paypal.com.wws2.us, Spoofstick would display this domain as wws2.us • Netcraft toolbar: It displays information about the site including the domain’s registration date, hosting country and popularity among other toolbar users. • Trustbar: It makes secure web connections (SSL) more visible by displaying the logos of the website and its certificate authority (CA). This is useful against phishing because many legitimate websites use SSL to encrypt the user’s sensitive data transimission, but most phishing sites do not. • eBAY’s Account Guard: It shows a green icon to indicate that the current site belongs to eBay or PayPal, a red icon to indicate a known phishing site found on a blacklist maintained by eBay and a gray for all other sites. • Spoofguard: It calculates a spoof score for the current web page using a set of heuristics derived from previous phishing attacks. Then it shows a particular color to indicate the site’s legitimacy on the basis of the score.
Initial design issues • Secondary goal: Users may not care about the toolbar’s display even if they do notice about it because security toolbar shows security related information which is generally not the primary goal of user in web browsing. • Small area: A toolbar is a small display in the peripheral area of the browser, compared to the large main window that displays the web content. Users may not pay enough attention to the toolbar at the right times to notice an attack. • False Alarms: If a toolbar sometimes makes mistakes and identifies legitimate sites as phishing sites, users may learn to distrust the toolbar. Then, when the toolbar correctly identifies a phishing site, the user may not believe it.
User Studies • To simplify the study design, the five existing toolbars were combined into three categories: – neutral information toolbar (Spoofstick and Netcraft) – SSL-verification toolbar (Trustbar) – system-decision toolbar (eBay Account Guard and Spoofguard) • Users in the studies interacted with a simulated Internet Explorer built inside an HTML application running in full screen mode
User studies….(contd.) • The studies set up dummy accounts in the name of “John Smith” at various legitimate e-commerce websites • Users were asked to work as his personal assistants and protect his passwords • The task was to process 20 mail messages, most of which were requests by John to handle a forwarded message from an e-commerce site • The attacks were divided into wish-list attacks and paypal attack • A tutorial mail appeared in the middle of the study, as 11th of the 20 mails.
User studies….(contd.) • A total of 30 users (all atleast had college education) • 14 males and 16 females • Average age was 27 (ranging from 18-50) • All of them had previous experience of online shopping via one or the other ecommerce sites Risk: Care for the security of the person.
Study 1: Wish list attacks
Results of wish-list attacks • 17 subjects (85%) were spoofed by the web content • 12 subjects (60%) were spoofed by URLs • 9 subjects (45%) were doing their primary tasks at hand • 5 subjects (25%) did not notice the toolbar display at all for some attacks • 1 subject clicked on the links to check for authenticity
Learning effects of tutorial mail
Paypal attack • 5 users were spoofed by paypal attack (4 were real life uesrs) • Reasons: – psychological thinking of being familiar – checking content for authenticity – Requirement!
User study 2 • To check the effectiveness of pop-up warning messages • A pop-up is a very aggressive warning, disrupting the user’s task – So it must be accurate or would be disabled • 20 users aged 19 to 37 (average 23) • 18 were college students and 13 were male
Pop up warning message
Pop warning messages: inferences • 4 users were spoofed • None of the four spoofed subjects offered that the content of the page was convincing as a reason that they were spoofed • Two subjects believed the warning and knew the site was phishing, but still wanted to complete the task. • The other two subjects did not trust the blocking warning box. One said that he had never seen such a warning before. The other thought that the warning was wrong.
Conclusion: Toolbars effectiveness analysis • • • • • • The neutral information toolbars only provide website information such as domain name, hostname, registration date, hosting country etc. With this information, users must use their own judgment and experience to decide whether a site is legitimate or phishing. The system decision toolbars show warning signal for a fraudulent site. This display is easy for the user to interpret but it requires the user to trust the toolbar’s decision process which is generally hidden from the user. Similar is the case with SSL verification toolbars. Generally the security toolbars are not clearly interpreted by the user. Mostly the toolbar looks like an advertisement banner, so it becomes unclear whether it is put there by the browser or the website. Many users depend on the web content to authenticate the site’s identity. Even though they are cautious and notice suspicious signs from the browser’s security indicators, since these signals are weak compared to the strong signals from convincing web content, the users tend to ignore or explain away the security indicators. Poor web practices on the part of e-commerce firms make phishing attacks even more likely to succeed. For example, many legitimate companies do not use SSL to protect their login page (serious problem with SSL verification toolbar). The security indicators generally prove too much for the user whose primary goal is to finish of his task in any way.
Recommendations • Active interruption like the popup warnings are far more effective than the passive warnings displayed in the toolbars. • Warnings that propose an alternative path (e.g. directing users to the real intended site) allowing users to finish the task safely would probably be more effective. • If users have to make security critical decisions, it is best to integrate the security concerns into the critical path of their tasks so that they have to deal with it and can’t simply ignore it. • Finally, internet companies should need to follow some standard practices to better distinguish their sites from malicious phishing attacks. For example, using single domain name that matches company’s brand name rather than using IP addresses or multiple domain names for servers.
Questions?? Thanks!!

Recommandé

Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Er. Rahul Jain
 
Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Intro phishing
Intro phishingIntro phishing
Intro phishingSayali Dayama
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Phishing
PhishingPhishing
PhishingArpit Patel
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 

Recommandé

Strategies to handle Phishing attacks
Strategies to handle Phishing attacksStrategies to handle Phishing attacks
Strategies to handle Phishing attacksSreejith.D. Menon
 
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks
Phishing attacks, Types Of Phishing Attacks, How To Avoid Phishing Attacks Er. Rahul Jain
 
Anti phishing
Anti phishingAnti phishing
Anti phishingShethwala Ridhvesh
 
Phishing exposed
Phishing exposedPhishing exposed
Phishing exposedtamfin
 
Intro phishing
Intro phishingIntro phishing
Intro phishingSayali Dayama
 
UW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessUW School of Medicine Social Engineering and Phishing Awareness
UW School of Medicine Social Engineering and Phishing AwarenessNicholas Davis
 
Phishing
PhishingPhishing
PhishingArpit Patel
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Phishing technology
Phishing technologyPhishing technology
Phishing technologyPreeti Papneja
 
Phishing
PhishingPhishing
PhishingJayaseelan Vejayon
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on PhishingCreative Technology
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Phishing 101 General Course
Phishing 101 General CoursePhishing 101 General Course
Phishing 101 General CourseAaron Keating
 
Phishing attack
Phishing attackPhishing attack
Phishing attackRaghav Chhabra
 
Phishing
PhishingPhishing
PhishingSagar Rai
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHINGsanthuana sg
 
secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger Abhishek Hirapara
 
Phishing technology
Phishing technologyPhishing technology
Phishing technologyharpinderkaur123
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking pptKrishma Sandesra
 
Phishing
PhishingPhishing
PhishingSyeda Javeria
 
Phishing
PhishingPhishing
Phishingoitaoming
 
phishing and pharming - evil twins
phishing and pharming - evil twinsphishing and pharming - evil twins
phishing and pharming - evil twinsNilantha Piyasiri
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & PharmingDevendra Yadav
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing FrameworkIJAEMSJORNAL
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 

Contenu connexe

Tendances

Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Phishing 101 General Course
Phishing 101 General CoursePhishing 101 General Course
Phishing 101 General CourseAaron Keating
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHINGsanthuana sg
 
secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger Abhishek Hirapara
 
Web application security
Web application securityWeb application security
Web application securityJin Castor
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N Gbensonoo
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking pptKrishma Sandesra
 
phishing and pharming - evil twins
phishing and pharming - evil twinsphishing and pharming - evil twins
phishing and pharming - evil twinsNilantha Piyasiri
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafeCheapSSLsecurity
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing FrameworkIJAEMSJORNAL
 

Tendances (20)

Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Phishing
PhishingPhishing
Phishing
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
Phishing 101 General Course
Phishing 101 General CoursePhishing 101 General Course
Phishing 101 General Course
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
 
Phishing
PhishingPhishing
Phishing
 
HACKING AND PHISHING
HACKING AND PHISHINGHACKING AND PHISHING
HACKING AND PHISHING
 
secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger secure from Phishing Hacking and Keylogger
secure from Phishing Hacking and Keylogger
 
Phishing technology
Phishing technologyPhishing technology
Phishing technology
 
Web application security
Web application securityWeb application security
Web application security
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
Phishing scams in banking ppt
Phishing scams in banking pptPhishing scams in banking ppt
Phishing scams in banking ppt
 
Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
phishing and pharming - evil twins
phishing and pharming - evil twinsphishing and pharming - evil twins
phishing and pharming - evil twins
 
Phishing & Pharming
Phishing & PharmingPhishing & Pharming
Phishing & Pharming
 
Phishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You SafePhishing Scams: 8 Helpful Tips to Keep You Safe
Phishing Scams: 8 Helpful Tips to Keep You Safe
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing Framework
 

Similaire à Do security toolbars actually prevent phishing attacks

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...Jason Hong
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporationsharmaakash1881
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
The Battle Against Phishing:Dynamic Security Skins
The Battle Against Phishing:Dynamic Security SkinsThe Battle Against Phishing:Dynamic Security Skins
The Battle Against Phishing:Dynamic Security SkinsRaj Kumar
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Chapter 4 E-Safety and Health & Safety
Chapter 4 E-Safety and Health & SafetyChapter 4 E-Safety and Health & Safety
Chapter 4 E-Safety and Health & SafetyAnjan Mahanta
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...GIRISHKUMARBC1
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxMohammedYusuf609377
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 

Similaire à Do security toolbars actually prevent phishing attacks (20)

User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing Tools
 
Phishing
PhishingPhishing
Phishing
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
How I Will Phish You
How I Will Phish You How I Will Phish You
How I Will Phish You
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
The Battle Against Phishing:Dynamic Security Skins
The Battle Against Phishing:Dynamic Security SkinsThe Battle Against Phishing:Dynamic Security Skins
The Battle Against Phishing:Dynamic Security Skins
 
Anti-Phishing Phil
Anti-Phishing PhilAnti-Phishing Phil
Anti-Phishing Phil
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E Bay
 
Chapter 4 E-Safety and Health & Safety
Chapter 4 E-Safety and Health & SafetyChapter 4 E-Safety and Health & Safety
Chapter 4 E-Safety and Health & Safety
 
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
Cyber Security Module 3.pptx Cybersecurity is the practice of protecting syst...
 
TM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptxTM112 Meeting10-Dangerous Data.pptx
TM112 Meeting10-Dangerous Data.pptx
 
Cybersecurity Training
Cybersecurity TrainingCybersecurity Training
Cybersecurity Training
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Exploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingExploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In Phishing
 
12990739.ppt
12990739.ppt12990739.ppt
12990739.ppt
 

Plus de Pankaj Saharan

Startup Equity - Startup summer camp, 2014
Startup Equity - Startup summer camp, 2014Startup Equity - Startup summer camp, 2014
Startup Equity - Startup summer camp, 2014Pankaj Saharan
 
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...Pankaj Saharan
 
Demand-supply-analysis (Nokia)
Demand-supply-analysis (Nokia)Demand-supply-analysis (Nokia)
Demand-supply-analysis (Nokia)Pankaj Saharan
 
Porter's 5 forces analysis - Nokia
Porter's 5 forces analysis - NokiaPorter's 5 forces analysis - Nokia
Porter's 5 forces analysis - NokiaPankaj Saharan
 
PESTE analysis - Nokia
PESTE analysis - NokiaPESTE analysis - Nokia
PESTE analysis - NokiaPankaj Saharan
 
Service Oriented & Model Driven Architectures
Service Oriented & Model Driven ArchitecturesService Oriented & Model Driven Architectures
Service Oriented & Model Driven ArchitecturesPankaj Saharan
 
Web Services Foundation Technologies
Web Services Foundation TechnologiesWeb Services Foundation Technologies
Web Services Foundation TechnologiesPankaj Saharan
 
Building an effective product strategy (Early stage start-ups) - UX India, 2013
Building an effective product strategy (Early stage start-ups) - UX India, 2013Building an effective product strategy (Early stage start-ups) - UX India, 2013
Building an effective product strategy (Early stage start-ups) - UX India, 2013Pankaj Saharan
 

Plus de Pankaj Saharan (9)

Startup Equity - Startup summer camp, 2014
Startup Equity - Startup summer camp, 2014Startup Equity - Startup summer camp, 2014
Startup Equity - Startup summer camp, 2014
 
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...
Enterprise job vs Entrepreneurship @ Entrepreneurship Days Event, Lahti, Finl...
 
Demand-supply-analysis (Nokia)
Demand-supply-analysis (Nokia)Demand-supply-analysis (Nokia)
Demand-supply-analysis (Nokia)
 
Porter's 5 forces analysis - Nokia
Porter's 5 forces analysis - NokiaPorter's 5 forces analysis - Nokia
Porter's 5 forces analysis - Nokia
 
PESTE analysis - Nokia
PESTE analysis - NokiaPESTE analysis - Nokia
PESTE analysis - Nokia
 
VOIP services
VOIP servicesVOIP services
VOIP services
 
Service Oriented & Model Driven Architectures
Service Oriented & Model Driven ArchitecturesService Oriented & Model Driven Architectures
Service Oriented & Model Driven Architectures
 
Web Services Foundation Technologies
Web Services Foundation TechnologiesWeb Services Foundation Technologies
Web Services Foundation Technologies
 
Building an effective product strategy (Early stage start-ups) - UX India, 2013
Building an effective product strategy (Early stage start-ups) - UX India, 2013Building an effective product strategy (Early stage start-ups) - UX India, 2013
Building an effective product strategy (Early stage start-ups) - UX India, 2013
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Dernier (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

Do security toolbars actually prevent phishing attacks

  • 1. Do Security Toolbars Actually Prevent Phishing Attacks (Written by: Min Wu, Robert C. Miller, Simson L. Garfinkel) Pankaj Saharan Helsinki University of Technology
  • 2. Agenda • • • • • • • Introduction Why Phishing works Types of phishing attacks One solution: Security toolbars Initial design issues User studies Conclusions and recommendations
  • 3. Introduction • Phishing attacks typically use legitimatelooking but fake emails and websites to deceive users into disclosing personal or financial information to the attacker • A significant threat to Internet users today • Phishing is a model problem for illustrating usability concerns of privacy and security
  • 4. Why Phishing works?? • • • • • Human Behavior Lack of knowledge Lack of attention Visual deception …..
  • 5. Types of phishing attacks Similar-name attack: One way that users authenticate web sites is by examining the URL displayed in the address bar, attackers can use a hostname that bears a superficial similarity to the imitated site’s hostname. For example, www.bestbuy.com.ww2.us to spoof bestbuy.com. IP-address attack: Another way to obscure a server’s identity is to display it as an IP address, e.g., http://212.85.153.6/ to spoof bestbuy.com. Hijacked-server attack: Attackers sometimes hijack a server at a legitimate company and then use the server to host phishing attacks. For example, hijacked site www.btinternet.com to spoof bestbuy.com. Popup-window attack: A popup-window attack displays the real site in the browser but puts a borderless window from the phishing site on top to request the user’s personal information. PayPal attack: Unlike the other attacks, which simulate man-in-the-middle behavior while displaying the real web site, this attack requests not only a PayPal username and password, but credit card and bank account information.
  • 6. One solution: Security Toolbars • Security toolbars in a web browser show security related information about a website to help users detect phishing attacks Some commonly used security toolbars are: • Spoofstick: It displays the website’s real domain name in order to expose phishing sites that obscure their domain name e.g for spoof site www.paypal.com.wws2.us, Spoofstick would display this domain as wws2.us • Netcraft toolbar: It displays information about the site including the domain’s registration date, hosting country and popularity among other toolbar users. • Trustbar: It makes secure web connections (SSL) more visible by displaying the logos of the website and its certificate authority (CA). This is useful against phishing because many legitimate websites use SSL to encrypt the user’s sensitive data transimission, but most phishing sites do not. • eBAY’s Account Guard: It shows a green icon to indicate that the current site belongs to eBay or PayPal, a red icon to indicate a known phishing site found on a blacklist maintained by eBay and a gray for all other sites. • Spoofguard: It calculates a spoof score for the current web page using a set of heuristics derived from previous phishing attacks. Then it shows a particular color to indicate the site’s legitimacy on the basis of the score.
  • 7.
  • 8. Initial design issues • Secondary goal: Users may not care about the toolbar’s display even if they do notice about it because security toolbar shows security related information which is generally not the primary goal of user in web browsing. • Small area: A toolbar is a small display in the peripheral area of the browser, compared to the large main window that displays the web content. Users may not pay enough attention to the toolbar at the right times to notice an attack. • False Alarms: If a toolbar sometimes makes mistakes and identifies legitimate sites as phishing sites, users may learn to distrust the toolbar. Then, when the toolbar correctly identifies a phishing site, the user may not believe it.
  • 9. User Studies • To simplify the study design, the five existing toolbars were combined into three categories: – neutral information toolbar (Spoofstick and Netcraft) – SSL-verification toolbar (Trustbar) – system-decision toolbar (eBay Account Guard and Spoofguard) • Users in the studies interacted with a simulated Internet Explorer built inside an HTML application running in full screen mode
  • 10.
  • 11. User studies….(contd.) • The studies set up dummy accounts in the name of “John Smith” at various legitimate e-commerce websites • Users were asked to work as his personal assistants and protect his passwords • The task was to process 20 mail messages, most of which were requests by John to handle a forwarded message from an e-commerce site • The attacks were divided into wish-list attacks and paypal attack • A tutorial mail appeared in the middle of the study, as 11th of the 20 mails.
  • 12. User studies….(contd.) • A total of 30 users (all atleast had college education) • 14 males and 16 females • Average age was 27 (ranging from 18-50) • All of them had previous experience of online shopping via one or the other ecommerce sites Risk: Care for the security of the person.
  • 13. Study 1: Wish list attacks
  • 14. Results of wish-list attacks • 17 subjects (85%) were spoofed by the web content • 12 subjects (60%) were spoofed by URLs • 9 subjects (45%) were doing their primary tasks at hand • 5 subjects (25%) did not notice the toolbar display at all for some attacks • 1 subject clicked on the links to check for authenticity
  • 15. Learning effects of tutorial mail
  • 16. Paypal attack • 5 users were spoofed by paypal attack (4 were real life uesrs) • Reasons: – psychological thinking of being familiar – checking content for authenticity – Requirement!
  • 17. User study 2 • To check the effectiveness of pop-up warning messages • A pop-up is a very aggressive warning, disrupting the user’s task – So it must be accurate or would be disabled • 20 users aged 19 to 37 (average 23) • 18 were college students and 13 were male
  • 18. Pop up warning message
  • 19. Pop warning messages: inferences • 4 users were spoofed • None of the four spoofed subjects offered that the content of the page was convincing as a reason that they were spoofed • Two subjects believed the warning and knew the site was phishing, but still wanted to complete the task. • The other two subjects did not trust the blocking warning box. One said that he had never seen such a warning before. The other thought that the warning was wrong.
  • 20. Conclusion: Toolbars effectiveness analysis • • • • • • The neutral information toolbars only provide website information such as domain name, hostname, registration date, hosting country etc. With this information, users must use their own judgment and experience to decide whether a site is legitimate or phishing. The system decision toolbars show warning signal for a fraudulent site. This display is easy for the user to interpret but it requires the user to trust the toolbar’s decision process which is generally hidden from the user. Similar is the case with SSL verification toolbars. Generally the security toolbars are not clearly interpreted by the user. Mostly the toolbar looks like an advertisement banner, so it becomes unclear whether it is put there by the browser or the website. Many users depend on the web content to authenticate the site’s identity. Even though they are cautious and notice suspicious signs from the browser’s security indicators, since these signals are weak compared to the strong signals from convincing web content, the users tend to ignore or explain away the security indicators. Poor web practices on the part of e-commerce firms make phishing attacks even more likely to succeed. For example, many legitimate companies do not use SSL to protect their login page (serious problem with SSL verification toolbar). The security indicators generally prove too much for the user whose primary goal is to finish of his task in any way.
  • 21. Recommendations • Active interruption like the popup warnings are far more effective than the passive warnings displayed in the toolbars. • Warnings that propose an alternative path (e.g. directing users to the real intended site) allowing users to finish the task safely would probably be more effective. • If users have to make security critical decisions, it is best to integrate the security concerns into the critical path of their tasks so that they have to deal with it and can’t simply ignore it. • Finally, internet companies should need to follow some standard practices to better distinguish their sites from malicious phishing attacks. For example, using single domain name that matches company’s brand name rather than using IP addresses or multiple domain names for servers.