ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Web wallet: preventing phishing attacks by revealing user intentions
Full text PdfPdf (380 KB)
Source ACM International Conference Proceeding Series; Vol. 149 archive
Proceedings of the second symposium on Usable privacy and security table of contents
Pittsburgh, Pennsylvania
SESSION: Catching phish table of contents
Pages: 102 - 113  
Year of Publication: 2006
ISBN:1-59593-448-0
Authors
Min Wu  MIT Computer Science and Artificial Intelligence Lab, Cambridge, MA
Robert C. Miller  MIT Computer Science and Artificial Intelligence Lab, Cambridge, MA
Greg Little  MIT Computer Science and Artificial Intelligence Lab, Cambridge, MA
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 21,   Downloads (12 Months): 242,   Citation Count: 11
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Review this Article  
Save this Article to a Binder    Display Formats: BibTex  EndNote ACM Ref   
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1143120.1143133
What is a DOI?

ABSTRACT

We introduce a new anti-phishing solution, the Web Wallet. The Web Wallet is a browser sidebar which users can use to submit their sensitive information online. It detects phishing attacks by determining where users intend to submit their information and suggests an alternative safe path to their intended site if the current site does not match it. It integrates security questions into the user's workflow so that its protection cannot be ignored by the user. We conducted a user study on the Web Wallet prototype and found that the Web Wallet is a promising approach. In the study, it significantly decreased the spoof rate of typical phishing attacks from 63% to 7%, and it effectively prevented all phishing attacks as long as it was used. A majority of the subjects successfully learned to depend on the Web Wallet to submit their login information. However, the study also found that spoofing the Web Wallet interface itself was an effective attack. Moreover, it was not easy to completely stop all subjects from typing sensitive information directly into web forms.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Adida, B., Hohenberger, S., Rivest, R. Lightweight Encryption for Email. USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005.
 
2
Anti-Phishing Working Group. Phishing Activity Trends Report, December 2005. http://antiphishing.org/reports/apwg_report_DEC2005_FINAL.pdf
 
3
Behera, P., Agarwal, N. A confidence model for web browsing. Toward a More Secure Web - W3C Workshop on Transparency and Usability of Web Authentication, 2006.
 
4
Cameron, K., Johns, M. Design Rationale behind the Identity Metasystem Architecture.2006. http://www.identityblog.com/wp-content/resources/design_rationale.pdf
5
Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073009]
 
6
Emigh, A. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasure, ITTC Report on Online Identity Theft Technology and Countermeasures. October 3, 2005.
 
7
Emigh, A. Trusted Path in Heterogeneous Environments. 1st TIPPI Workshop, 2005.
 
8
FDIC. Putting an End to Account-Hijacking Identity Theft. 2004. http://www.fdic.gov/consumers/consumer/idtheftstudy/identity_theft.pdf
 
9
Felten, E. W., Balfanz, D., Dean, D., Wallach, D. S. Web Spoofing: An Internet Con Game. Proceedings of the 20th National Information Systems Security Conference, 1997
 
10
Fight Identity Theft Blog. ING Direct Fights Keystroke Loggers. December 11, 2005. http://fightidentitytheft.com/blog/?p=23
 
11
GeoTrust. TrustWatch Tools. http://www.trustwatch.com/
 
12
Herzberg, A. The 'Unprotected Login' Inter-Net Fraud League (I-NFL) Hall of Shame.2005. http://www.cs.biu.ac.il/~herzbea//shame/
 
13
Herzberg, A. TrustBar: Re-establishing Trust in the Web. 2006. http://www.cs.biu.ac.il/~herzbea/TrustBar/
 
14
Jakobsson, M., Myers, S. Stealth Attacks and Delayed Password Disclosure. http://www.informatics.indiana.edu/markus/stealth-attacks.htm
 
15
Johns, M. A. Guide to Supporting InfoCard v1.0 Within Web Applications and Browsers. March, 2006. http://www.identityblog.com/?page_id=412#infocardg_topic5a
 
16
Krebs, B. The New Face of Phishing. The Washington Post. Feb 2006.
 
17
Wenyin Liu , Xiaotie Deng , Guanglin Huang , Anthony Y. Fu, An Antiphishing Strategy Based on Visual Similarity Assessment, IEEE Internet Computing, v.10 n.2, p.58-65, March 2006  [doi>10.1109/MIC.2006.23]
 
18
PassMark Security. Two-Factor Two-Way Authentication. http://www.passmarksecurity.com/
19
John Sören Pettersson , Simone Fischer-Hübner , Ninni Danielsson , Jenny Nilsson , Mike Bergmann , Sebastian Clauss , Thomas Kriegelstein , Henry Krasemann, Making PRIME usable, Proceedings of the 2005 symposium on Usable privacy and security, p.53-64, July 06-08, 2005, Pittsburgh, Pennsylvania  [doi>10.1145/1073001.1073007]
 
20
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J. Stronger Password Authentication Using Browser Extensions. Proceedings of the 14th Usenix Security Symposium, 2005.
 
21
Sharif, T. Phishing Filter in IE7, September 9, 2006. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspx
 
22
Treisman, A., Gormican, S. Feature analysis in early vision: Evidence from search asymmetries. Psychological Review, 95, 15--48. 1988.
 
23
W3C. Platform for Privacy Preferences (P3P) Project. http://www.w3.org/P3P/
 
24
Wu, M. Fighting Phishing at the User Interface. PhD Thesis. MIT. 2006.
 
25
Wu, M., Garfinkel, S., Miller, R. Secure Web Authentication with Mobile Phones. DIMACS Workshop on Usable Privacy and Security Software, 2004.
26
Min Wu , Robert C. Miller , Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks?, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada  [doi>10.1145/1124772.1124863]
 
27
Zishuang (Eileen) Ye , Sean Smith, Trusted Paths for Browsers, Proceedings of the 11th USENIX Security Symposium, p.263-279, August 05-09, 2002
 
28
Ye, E., Yuan Y., Smith, S. Web Spoofing Revisited: SSL and Beyond. Technical Report TR2002-417, 2002.

CITED BY  11
José Carlos Brustoloni , Ricardo Villamarín-Salomón, Improving security decisions with polymorphic and audited dialogs, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Serge Egelman , Jennifer King , Robert C. Miller , Nick Ragouzis , Erika Shehan, Security user studies: methodologies and best practices, CHI '07 extended abstracts on Human factors in computing systems, April 28-May 03, 2007, San Jose, CA, USA
 
Maritza L. Johnson , Chaitanya Atreya , Adam Aviv , Mariana Raykova , Steven M. Bellovin , Gail Kaiser, RUST: a retargetable usability testbed for website authentication technologies, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-7, April 14-14, 2008, San Francisco, California
Jennifer Stoll , Craig S. Tashman , W. Keith Edwards , Kyle Spafford, Sesame: informing user security decisions with system visualization, Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, April 05-10, 2008, Florence, Italy
Sujata Garera , Niels Provos , Monica Chew , Aviel D. Rubin, A framework for detection and measurement of phishing attacks, Proceedings of the 2007 ACM workshop on Recurring malcode, November 02-02, 2007, Alexandria, Virginia, USA
Troy Ronda , Stefan Saroiu , Alec Wolman, Itrustpage: a user-assisted anti-phishing tool, ACM SIGOPS Operating Systems Review, v.42 n.4, May 2008
Dinei Florencio , Cormac Herley, Evaluating a trial deployment of password re-use for phishing prevention, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.26-36, October 04-05, 2007, Pittsburgh, Pennsylvania
Steve Sheng , Bryant Magnien , Ponnurangam Kumaraguru , Alessandro Acquisti , Lorrie Faith Cranor , Jason Hong , Elizabeth Nunge, Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish, Proceedings of the 3rd symposium on Usable privacy and security, July 18-20, 2007, Pittsburgh, Pennsylvania
Yue Zhang , Jason I. Hong , Lorrie F. Cranor, Cantina: a content-based approach to detecting phishing web sites, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada
 
Lorrie Faith Cranor, A framework for reasoning about the human in the loop, Proceedings of the 1st Conference on Usability, Psychology, and Security, p.1-15, April 14-14, 2008, San Francisco, California
Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.5 INFORMATION INTERFACES AND PRESENTATION (I.7)
      H.5.2 User Interfaces (D.2.2, H.1.2, I.3.6)

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection

  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems


General Terms:
Design, Experimentation, Human Factors, Security


Keywords:
e-commerce, user interface design, user study, world wide web and hypermedia

Collaborative Colleagues:
Min Wu: colleagues
Robert C. Miller: colleagues
Greg Little: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2008 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player