Embed Size (px)
Citation preview
Phishing and TrustPhishing and Trust
AgendaAgenda
Questions?Questions? PhishingPhishing Project feedbackProject feedback TrustTrust
Phishing: the problemPhishing: the problem
Statistics from June 2007 Anti-Phishing Working Group: http://www.antiphishing.org/
Number of unique phishing reports received in June: 28888 Number of unique phishing sites received in June: 31709 Number of brands hijacked by phishing campaigns in June:
146 Number of brands comprising the top 80% of phishing
campaigns in June: 14 Country hosting the most phishing websites in June: United
States Average time online for site: 3.8 days Longest time online for site: 30 days 95.2% of attacks in Financial Services industry. Phishing sites now can also host keyloggers, trojans, and
other malware
Not a lot of progress…Not a lot of progress…
PhishingPhishing
Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.
Questions:Questions: What are the user interface issues What are the user interface issues
involved in people falling for phishing involved in people falling for phishing attacks?attacks?
What are the social issues involved?What are the social issues involved?
Why Phishing WorksWhy Phishing Works
Lack of knowledgeLack of knowledge– Computer systems and securityComputer systems and security
Visual deceptionVisual deception– Deceptive text, masking images, etc.Deceptive text, masking images, etc.
Bounded attentionBounded attention– Lack of attention to security indicators or their Lack of attention to security indicators or their
absenceabsence
User strategies:User strategies:– 23%: website content only23%: website content only– 36%: content and domain name only (address bar)36%: content and domain name only (address bar)– 9%: above + “https:”9%: above + “https:”– 23%: above + padlock icon23%: above + padlock icon– 9%: above + certificates9%: above + certificates
Dhamija, R., J.D. Tygar, and M. Hearst. Proc. CHI, 2006, pp 581-590.
SolutionsSolutions
Improve browser to fix usability issuesImprove browser to fix usability issues Toolbar / browser component to detect Toolbar / browser component to detect
phishing sitesphishing sites– Warn or prevent bad things from happeningWarn or prevent bad things from happening– IE7, Firefox 2.0, Netcraft, Google Safe Browsing, IE7, Firefox 2.0, Netcraft, Google Safe Browsing,
eBay toolbar, Earthlink, GeoTrust TrustWatch, eBay toolbar, Earthlink, GeoTrust TrustWatch, Phishtank SiteCheckerPhishtank SiteChecker
Train usersTrain users Modify website and strengthen authenticationModify website and strengthen authentication
– List person by nameList person by name– Use SitekeyUse Sitekey
Take care of spam?Take care of spam?
Tool: Earthlink toolbarTool: Earthlink toolbar
Compare: Firefox Compare: Firefox warningwarning
User trainingUser training
What should you tell users?What should you tell users?
Example: Anti-Phishing PhilExample: Anti-Phishing Phil– Study: compared using existing tutorials, Study: compared using existing tutorials,
new tutorial based on game, and playing new tutorial based on game, and playing gamegame
– All improved overall correctness, game was All improved overall correctness, game was the bestthe best
– All training decreased false negativesAll training decreased false negatives– Only game decreased false positivesOnly game decreased false positives– Game better at teaching techniques to use, Game better at teaching techniques to use,
not just increasing attentionnot just increasing attentionhttp://cups.cs.cmu.edu/soups/2007/proceedings/p88_sheng.pdf
http://cups.cs.cmu.edu/antiphishing_phil/
Example: http://www.microsoft.com/protect/yourself/phishing/identify.mspx
Improving Improving authenticationauthentication SiteKey: Bank of America’s approachSiteKey: Bank of America’s approach
– A unique image + title you chooseA unique image + title you choose– Challenge questions if you don’t log in Challenge questions if you don’t log in
from a recognized computerfrom a recognized computer– Still potentially susceptible to real-time, Still potentially susceptible to real-time,
man-in-the-middle attacks man-in-the-middle attacks (http://www.cr-labs.com/publications/SiteKey-20060718.pdf)(http://www.cr-labs.com/publications/SiteKey-20060718.pdf)
Others?Others?
Social phishingSocial phishing
Or spear fishingOr spear fishing– Appears to be legitimate email from Appears to be legitimate email from
employer, HR, friend, etc.employer, HR, friend, etc.– Data mined from social networking sites, Data mined from social networking sites,
employer information, etc.employer information, etc.– Worse than plain phishing?Worse than plain phishing?
Indiana study: 72% fell forIndiana study: 72% fell for– Similar to 80% from West Point Military Similar to 80% from West Point Military
AcademyAcademy– Ethical considerations of studying social Ethical considerations of studying social
phishing?phishing?
Trust is fundamental Trust is fundamental to securityto security Lack of trust results in systems being Lack of trust results in systems being
ill-used or used not at allill-used or used not at all Lack of understanding of trust results Lack of understanding of trust results
in wrong decisions or no decisionsin wrong decisions or no decisions Too much trust can be more Too much trust can be more
dangerous than too littledangerous than too little– E.g. I can open any file attachment E.g. I can open any file attachment
because I run anti-virus softwarebecause I run anti-virus software
What are your What are your strategies?strategies? Scenario: you are buying a product Scenario: you are buying a product
from a new site, what leads you to from a new site, what leads you to trust the site and buy from them?trust the site and buy from them?
Scenario: you are looking up medical Scenario: you are looking up medical information on a new site, what leads information on a new site, what leads you to trust the site?you to trust the site?
Scenario: you consider downloading a Scenario: you consider downloading a new browser plug-in, what leads you to new browser plug-in, what leads you to trust the plug-in and download?trust the plug-in and download?
DefinitionsDefinitions
Book: “Trust concerns a positive Book: “Trust concerns a positive expectation regarding the expectation regarding the behavior of somebody or behavior of somebody or something in a situation that something in a situation that entails risk to the trusting party”entails risk to the trusting party”
Miriam-Webster: “assured Miriam-Webster: “assured reliance on the integrity, ability, reliance on the integrity, ability, or character of a person or thing”or character of a person or thing”
LayersLayers
Dispositional trustDispositional trust– Psychological disposition or personality Psychological disposition or personality
trait to be trusting or nottrait to be trusting or not Learned trustLearned trust
– A person’s general tendency to trust, or A person’s general tendency to trust, or not to trust, as a result of experiencenot to trust, as a result of experience
Situational trustSituational trust– Basic tendencies are adjusted in Basic tendencies are adjusted in
response to situational cuesresponse to situational cues
Processing strategiesProcessing strategies
Heuristic approach making quick Heuristic approach making quick judgments from the obvious judgments from the obvious informationinformation
Systematic approach involving Systematic approach involving detailed analysis of informationdetailed analysis of information
Models summarizationModels summarization
Increases trustIncreases trust– FamiliarityFamiliarity– BenevolenceBenevolence– IntegrityIntegrity– Comprehensive Comprehensive
infoinfo– Shared valueShared value– CredibilityCredibility– Good feedbackGood feedback– ReliabilityReliability– UsabilityUsability
Decreases trustDecreases trust– RiskRisk– Transaction costTransaction cost– UncertaintyUncertainty
Losing trustLosing trust
What are ways to damage trust?What are ways to damage trust? How can you repair damaged How can you repair damaged
trust?trust?
Trust Design Trust Design GuidelinesGuidelines1.1. Ensure good ease of use.Ensure good ease of use.2.2. Use attractive design.Use attractive design.3.3. Create a professional image – Create a professional image –
avoid spelling mistakes and avoid spelling mistakes and other simple errors.other simple errors.
4.4. Don’t mix advertising and Don’t mix advertising and content – avoid sales pitches content – avoid sales pitches and banner advertisements.and banner advertisements.
5.5. Convey a “real-world” look and Convey a “real-world” look and feel – for example, with use of feel – for example, with use of high-quality photographs of real high-quality photographs of real places and people.places and people.
6.6. Maximize the consistency, Maximize the consistency, familiarity, or predictability of an familiarity, or predictability of an interaction both in terms of interaction both in terms of process and visually.process and visually.
7.7. Include seals of approval such as Include seals of approval such as TRUSTe.TRUSTe.
8.8. Provide explanations, justifying Provide explanations, justifying the advice or information given.the advice or information given.
9.9. Include independent peer evaluation Include independent peer evaluation such as references from past and such as references from past and current users and independent message current users and independent message boards.boards.
10.10. Provide clearly stated security and Provide clearly stated security and privacy statements, and also rights to privacy statements, and also rights to compensation and returns.compensation and returns.
11.11. Include alternative views, including good Include alternative views, including good links to independent sites with the same links to independent sites with the same business area.business area.
12.12. Include background information such as Include background information such as indicators of expertise and patterns of indicators of expertise and patterns of past performance.past performance.
13.13. Clearly assign responsibilities (to the Clearly assign responsibilities (to the vendor and the customer).vendor and the customer).
14.14. Ensure that communication remains Ensure that communication remains open and responsive, and offer order open and responsive, and offer order tracking or an alternative means of tracking or an alternative means of getting in touch.getting in touch.
15.15. Offer a personalized service that takes Offer a personalized service that takes account of each client’s needs and account of each client’s needs and preferences and reflects its social preferences and reflects its social identity.identity.
CredibilityCredibility
How is this different than trust?How is this different than trust?
Four Types of CredibilityFour Types of Credibility– Presumed credibility.Presumed credibility.– Reputed credibility.Reputed credibility.– Surface credibility.Surface credibility.– Experienced credibility.Experienced credibility.
Stanford Guidelines for Web Stanford Guidelines for Web CredibilityCredibility
1.1. Make it easy to verify the accuracy of the information on your Make it easy to verify the accuracy of the information on your site.site.
2.2. Show that there's a real organization behind your site.Show that there's a real organization behind your site.
3.3. Highlight the expertise in your organization and in the content Highlight the expertise in your organization and in the content and services you provide.and services you provide.
4.4. Show that honest and trustworthy people stand behind your site.Show that honest and trustworthy people stand behind your site.
5.5. Make it easy to contact you.Make it easy to contact you.
6.6. Design your site so it looks professional (or is appropriate for your Design your site so it looks professional (or is appropriate for your purpose).purpose).
7.7. Make your site easy to use – and useful.Make your site easy to use – and useful.
8.8. Update your site's content often (at least show it's been reviewed Update your site's content often (at least show it's been reviewed recently).recently).
9.9. Use restraint with any promotional content (e.g., ads, offers).Use restraint with any promotional content (e.g., ads, offers).
10.10. Avoid errors of all types, no matter how small they seem.Avoid errors of all types, no matter how small they seem.
Stanford Persuasive Technology Lab http://www.webcredibility.org/guidelines/
Food for thoughtFood for thought
What have you noticed websites What have you noticed websites doing to increase your trust?doing to increase your trust?
Have you grown more or less Have you grown more or less trustworthy over time? General trustworthy over time? General public?public?
Should computers (application Should computers (application designers) trust users?designers) trust users?– Should the system take over and Should the system take over and
prevent bad things from happening? prevent bad things from happening? When?When?
