Min Wu
Simson L. Garfinkel
ABSTRACT
Security toolbars in a web browser show security-related information about a website to help users detect phishing attacks. Because the toolbars are designed for humans to use, they should be evaluated for usability -- that is, whether these toolbars really prevent users from being tricked into providing personal information. We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars' warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be.
- Anti-Phishing Working Group. eBay -- NOTICE eBay Obligatory Verifying - Invalid User Information. March 9, 2004. http://www.antiphishing.org/phishing_archive/ eBay_03-09-04.htmGoogle Scholar
- Anti-Phishing Working Group. Phishing Activity Trends Report, March 2005. http://antiphishing.org/ APWG_Phishing_Activity_Report_March_2005.pdfGoogle Scholar
- Bank, D. 'Spear Phishing' Tests Educate People About Online Scams. The Wall Street Journal. August 17, 2005.Google Scholar
- BBC News. Passwords revealed by sweet deal. http://news.bbc.co.uk/1/hi/technology/3639679.stmGoogle Scholar
- Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C. Client-Side Defense Against Web-Based Identity Theft. 11th Annual Network and Distributed System Security Symposium (2004).Google Scholar
- Dhamija, R. Tygar, J.D. The Battle Against Phishing: Dynamic Security Skins. Symposium on Usable Privacy and Security (2005), pp. 77--88. Google ScholarDigital Library
- eBay Toolbar and Account Guard. http://pages. ebay.com/help/confidence/account-guard.htmlGoogle Scholar
- Emigh, A. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures. ITTC Report on Online Identity Theft Technology and Countermeasures. October 3, 2005. http://www.antiphishing.org/Phishing-dhs-report.pdfGoogle Scholar
- Federal Bureau of Investigation, Department of Justice. FBI Says Web 'Spoofing' Scams are a Growing Problem. 2003. http://www.fbi.gov/pressrel/pressrel03 /spoofing072103.htmGoogle Scholar
- Fluendy, S. Phishing targeting online outlets. Computer Crime Research Center. March 16, 2005. http://www. crime-research.org/news/03.16.2005/1050/Google Scholar
- Fogg, B.J, et al. What makes Web sites credible?: a report on a large quantitative study. CHI 2001, pp. 61--68. Google ScholarDigital Library
- Google Safe Browsing for Firefox. 2005. http://www.google.com/tools/firefox/safebrowsing/.Google Scholar
- Herzberg, A., Gbara, A. TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. 2004. http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm.Google Scholar
- Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F. Social Phishing. School of Informatics & Dept. of Computer Science, Indiana University. 2005. http:// informatics.indiana.edu/fil/Net/social_phishing.pdfGoogle Scholar
- Leyden, J. US phishing losses hit $500m. The Register. September 29, 2004.Google Scholar
- Netcraft Toolbar. 2004. http://toolbar.netcraft.com/.Google Scholar
- Norman, D. A. Design rules based on analyses of human error. CACM, v26 n4 (April 1983), pp. 254--258. Google ScholarDigital Library
- PassMark. 2005. http://www.passmarksecurity.com/Google Scholar
- Sharif, T. Phishing Filter in IE7, September 9, 2006. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspxGoogle Scholar
- SpoofStick. 2004. http://www.spoofstick.com/.Google Scholar
- Sullivan, B. Consumers still falling for phish. MSNBC. July 28, 2004. http://www.msnbc.msn.com/id/5519990/Google Scholar
- Whalen, T., Inkpen, K. Gathering Evidence: Use of Visual Security Cues in Web Browsing. Graphics Interface 2005. Google ScholarDigital Library
- Whitten, A., Tygar, J.D. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. 8th Usenix Security Symposium, 1999, pp. 169--184. Google ScholarDigital Library
- Wu, M., Garfinkel, S., Miller, R. Secure Web Authentication with Mobile Phones. DIMACS Workshop on Usable Privacy and Security Software, 2004.Google Scholar
Index Terms
- Do security toolbars actually prevent phishing attacks?
Recommendations
Web wallet: preventing phishing attacks by revealing user intentions
SOUPS '06: Proceedings of the second symposium on Usable privacy and securityWe introduce a new anti-phishing solution, the Web Wallet. The Web Wallet is a browser sidebar which users can use to submit their sensitive information online. It detects phishing attacks by determining where users intend to submit their information ...
Circumventing security toolbars and phishing filters via rogue wireless access points
One of the solutions that has been widely used by naive users to protect against phishing attacks is security toolbars or phishing filters in web browsers. The present study proposes a new attack to bypass security toolbars and phishing filters via ...
Comments