Embed Size (px)
Citation preview
1
Forcing Johnny to Login Safely
Amir Herzberg and Ronen MarguliesBar Ilan University
2
AgendaIntroduction: phishing, current defenses & user studies
Psychology: principles of effective defense mechanisms
Long-term user study & resultsUsability issues
Some Phishing NumbersHuge amount of attacks (antiphishing.org)
$3.2 billion lost in the US only in 2007 (Gartner)
Some recent cyber hacks `spear phishing’ @ Lockheed MartinDigiNotar – stolen SSL certificates of CIA, MI6,
Mossad, Google, Facebook, Skype and Yahoo3
1H20082H20081H20092H20091H20102H20100
20000
40000
60000
80000
100000
120000
140000
4
Current Defenses: Passive IndicatorsBasic browser indicators
Name of site & CA (from certificate)
Warnings User-custom text/image for site (e.g. Yahoo!’s
sign-in seal)
5
Previous StudiesShort-term lab
studies
Awareness to study’s purpose more cautious
than real life
Rather high detection
rates, 63-95% [DTH06, WMG06, HJ08]
Low detection
rates 3-40% [DTH06, WMG06, SD*07]
Unaware less cautious than real
life
Very low detection rates, 0-8% [WMG06, SD*07, HJ08]
Goals, Method & ContributionGoals:
Realistic evaluation of defense mechanismsFind effective mechanisms, detection and
preventionMethod:
Long-term experiment, real-purpose system Awareness is not a problem
(More reliable) Results:Highly effective new mechanisms, best results
when combined82% detection rates93% overall resistance rates
7
AgendaIntroduction: phishing, current defenses & studies
Psychology: principles of effective mechanisms
Long-term user study & resultsUsability issues
8
Users Responses on the WebClick-whirr response: mindless response to
repeating situation[C08][KTW09]: click whirr responses allow
phishingAutomatic submission of credentialsAutomatic following of links: email, sites,
homepageMost logins are not harmful It’s easier to
just skip checking passive indicatorsEspecially since users’ primary goal isn’t
security!Solutions?
Forcing functions Negative training functions
Forcing FunctionsForcing function prevents users from
progressing with their task until taking a certain actionTerm from the human reliability field[KTW09] suggested them for usable-security
Method: site obligates users to take safe actions during each login
With sufficient training, will become click whirr responses themselves
Examples of forcing functions login mechanisms:Interactive custom indicatorsLogin bookmarks 9
10
Interactive Custom IndicatorsForce users to click them in order to login
Browser-side solution – Passpet [YS06] Submits the password by clicking the custom pet
image
Server-side solution – site hides the password textfield until the user clicks his custom image
Variation: several images on the login page
11
Login BookmarksUser must click on bookmark to login
Advantages: assures correct URL, SSL, prevention
Suggested by Adida [A07], not yet testedBookmark contains token, used as 1st
authenticatorWithout a valid token, site prevents the loginPassword used as 2nd authenticator
Combining with interactive custom imagesToken enables displaying the correct imageProvides “defense-in-depth”: prevention +
detectionProvides 2x2 (two-factor and two-sided)
authentication
12
Bookmark+ Interactive Image Login CeremonyAlice Browser mysite.com
types mysite.com/login.phpGET /login.php
You should login via your bookmark
clicks bookmarksecret token
login.php + custom image
login.php + custom image
You should login via your bookmark
clicks image
enables password submission
submits passwordpassword
13
14
15
16
17
18
19
20
21
Forcing Functions aren’t EnoughHow to defeat forcing functions?
Bypass them with dangerous actionsE.g.: follow a link to a spoofed login page
instead of clicking the bookmarkNeeds training against dangerous actionsNegative training functions: make users
experience failure with dangerous actionsTwo mechanisms:
“Non working” links in the site‘s email announcements
“Non working” account-entrance button in the site‘s home page
22
23
AgendaIntroduction: phishing, current defenses & studies
Psychology: principles of effective mechanisms
Long-term user study & results
Usability issues
24
User StudyOnline exercise submission system~400 computer science students
Used the system regularly for 3 semestersSubmitted exercises, received new grades
emailsDozens – hundreds logins per user
Each user was randomly assigned:A login method: image only, bookmark only,
bookmark+image, bookmark+4 images, noneAn email method: no link, no link+warning, link
25
Negative Training Functions Bookmark & link users received “non-working”
linksError message at the site’s login page
Account-entrance button at the homepageWorked for non-bookmark users“Did not work” for bookmark users – same
error message
26
Simulated AttacksAll attacks invoked with low probabilitiesSpoofed sites allowed loginClassic phishing attackMalicious bookmark replacementSpoofed home page attackPharming attack
(recent) browsers display an error page
27
Study Results – Detection RatesSignificant differences, best results when
combinedInteractive custom image is highly effective
more than twice the detection rates of non-image users
28
Users’ Response to emailsWarnings don’t helpThe login bookmark is only effective when
combined with “non working" links
29
Spoofed Home Page Attack ResultsLower detection rates than other attacks
Users might highly trust the home page of a familiar site
Prevention gets higher importanceAlmost all bookmark users tried to enter the
site's login page via its home pageAll but two stopped trying after 5 attempts
or lesslogin bookmark + “non working” account-
entrance button = effective prevention
31
AgendaIntroduction: phishing, current defenses & studies
Psychology: principles of effective mechanisms
Long-term user study & resultsUsability issues
32
Usability Survey72% want to use login bookmarks for high-
value sites, 51% for medium-value sitesBookmark setup not much of an objection
Good willingness rates for interactive custom images
60% did not feel more protected, most did not understand the purpose of their mechanisms
Contradiction with the good results Users don’t need deep understanding for the
mechanisms’ training to be effective Mechanisms are adequate for the general
public Similar results for the general-public (?)
33
ConclusionsLong-term user study measuring the
effectiveness of forcing and negative training functions mechanisms
Interactive custom images doubled the detection rates
Login bookmarks + non-working links doubled the prevention rates
Combining all mechanisms: best detection (82%) and overall resistance (93%) rates
Most users are willing to use the mechanisms, especially for high-value sites
The mechanisms work in-spite many users did not understand their purpose
34
Thank you!
