ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Designing ethical phishing experiments: a study of (ROT13) rOnl query features
Full text PdfPdf (390 KB)
Source International World Wide Web Conference archive
Proceedings of the 15th international conference on World Wide Web table of contents
Edinburgh, Scotland
SESSION: Security, privacy & ethics table of contents
Pages: 513 - 522  
Year of Publication: 2006
ISBN:1-59593-323-9
Authors
Markus Jakobsson  Indiana University, Bloomington, IN
Jacob Ratkiewicz  Indiana University, Bloomington, IN
Sponsors
SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 107,   Citation Count: 7
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1135777.1135853
What is a DOI?

ABSTRACT

We study how to design experiments to measure the success rates of phishing attacks that are ethical and accurate, which are two requirements of contradictory forces. Namely, an ethical experiment must not expose the participants to any risk; it should be possible to locally verify by the participants or representatives thereof that this was the case. At the same time, an experiment is accurate if it is possible to argue why its success rate is not an upper or lower bound of that of a real attack -- this may be difficult if the ethics considerations make the user perception of the experiment different from the user perception of the attack. We introduce several experimental techniques allowing us to achieve a balance between these two requirements, and demonstrate how to apply these, using a context aware phishing experiment on a popular online auction site which we call "rOnl". Our experiments exhibit a measured average yield of 11% per collection of unique users. This study was authorized by the Human Subjects Committee at Indiana University (Study #05-10306).


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Mailfrontier phishing IQ test. http://survey.mailfrontier.com/survey/quiztest.html.
 
2
Know your enemy : Phishing. behind the scenes of phishing attacks. http://www.honeynet.org/papers/phishing/, 2005.
3
Simson L. Garfinkel , Robert C. Miller, Johnny 2: a user test of key continuity management with S/MIME and Outlook Express, Proceedings of the 2005 symposium on Usable privacy and security, p.13-24, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073003]
 
4
Jakobsson, M. Modeling and preventing phishing attacks. In Financial Cryptography (2005).
 
5
Lester, A. WWW::Mechanize - handy web browsing in a perl object. http://search.cpan.org/ petdance/WWW-Mechanize-1.16/lib/WWW/Mechanize.p%m, 2005.
 
6
Litan, A. Phishing attack victims likely targets for identity theft. FT-22-8873, Gartner Research (2004).
 
7
M. Jakobsson, T. Jagatic, S. S. Phishing for clues. www.browser-recon.info.
 
8
T. Jagatic, N. Johnson, M. J., and Menczer, F. Social phishing. 2006.

CITED BY  7
 
Maritza L. Johnson , Chaitanya Atreya , Adam Aviv , Mariana Raykova , Steven M. Bellovin , Gail Kaiser, RUST: a retargetable usability testbed for website authentication technologies, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-7, April 14-14, 2008, San Francisco, California
 
Chris Karlof , J. D. Tygar , David Wagner, A user study design for comparing the security of registration protocols, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-14, April 14-14, 2008, San Francisco, California
Tim Kindberg , Eamonn O'Neill , Chris Bevan , Vassilis Kostakos , Danaë Stanton Fraser , Tim Jay, Measuring trust in wi-fi hotspots, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Markus Jakobsson , Steven Myers, Delayed password disclosure, Proceedings of the 2007 ACM workshop on Digital identity management, November 02-02, 2007, Fairfax, Virginia, USA
Ponnurangam Kumaraguru , Yong Rhee , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Protecting people from phishing: the design and evaluation of an embedded training email system, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
 
Markus Jakobsson , Steven Myers, Delayed password disclosure, International Journal of Applied Cryptography, v.1 n.1, p.47-59, February 2008
Markus Jakobsson , Steven Myers, Delayed password disclosure, ACM SIGACT News, v.38 n.3, September 2007

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.4 Electronic Commerce
          Subjects: Security

Additional Classification:
  K. Computing Milieux
  K.4 COMPUTERS AND SOCIETY
      K.4.1 Public Policy Issues
          Subjects: Ethics


General Terms:
Experimentation, Human Factors, Legal Aspects, Security


Keywords:
accurate, ethical, experiment, phishing, security

Collaborative Colleagues:
Markus Jakobsson: colleagues
Jacob Ratkiewicz: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player