Proceedings ArticleDOI
The battle against phishing: Dynamic Security Skins
Rachna Dhamija,J. D. Tygar +1 more
- pp 77-88
TLDR
A new scheme is proposed, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof.Abstract:
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme.We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields.Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a "skin" that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user's browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match.We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.read more
Citations
More filters
Proceedings ArticleDOI
Why phishing works
TL;DR: This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users by analyzing a large set of captured phishing attacks and developing a set of hypotheses about why these strategies might work.
Journal ArticleDOI
Social phishing
TL;DR: Sometimes a "friendly" email message tempts recipients to reveal more online than they otherwise would, playing right into the sender's hand.
Proceedings ArticleDOI
Cantina: a content-based approach to detecting phishing web sites
TL;DR: The design, implementation, and evaluation of CANTINA, a novel, content-based approach to detecting phishing web sites, based on the TF-IDF information retrieval algorithm, are presented.
Proceedings ArticleDOI
You've been warned: an empirical study of the effectiveness of web browser phishing warnings
TL;DR: Using a model from the warning sciences, how users perceive warning messages is analyzed and suggestions for creating more effective warning messages within the phishing context are offered.
Proceedings ArticleDOI
Do security toolbars actually prevent phishing attacks
TL;DR: It is found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be, and security toolbars are found to be ineffective at preventingPhishing attacks.
References
More filters
Journal ArticleDOI
Recognition memory for words, sentences, and pictures
TL;DR: This article found that median Ss were able to recognize the old stimuli in 90, 88, or 98% of the test pairs, respectively, in a test set consisting of words, sentences, or pictures.
Proceedings Article
Why Johnny can't encrypt: a usability evaluation of PGP 5.0
Alma Whitten,J. D. Tygar +1 more
TL;DR: It is concluded that PGP 5.0 is not usable enough to provide effective security for most computer users, despite its attractive graphical user interface, supporting the hypothesis that user interface design for effective security remains an open problem.
Proceedings Article
Déjà Vu: a user study using images for authentication
Rachna Dhamija,Adrian Perrig +1 more
TL;DR: Deja Vu is a recognition-based authentication system, which authenticates a user through her ability to recognize previously seen images, which is more reliable and easier to use than traditional recall-based schemes, which require the user to precisely recall passwords or PINs.
Journal ArticleDOI
Perception and memory for pictures: Single-trial learning of 2500 visual stimuli
TL;DR: The results of the experiment indicate the vast memory for pictures possessed by human beings and emphasize the need to determine mechanisms by which this is accomplished.
Proceedings Article
The Secure Remote Password Protocol.
TL;DR: This new protocol combines techniques of zero-knowledge proofs with asymmetric key exchange protocols and has significantly improved performance over comparably strong extended methods that resist stolen-veri er attacks such as Augmented EKE or B-SPEKE.