Article

The battle against phishing: Dynamic Security Skins

Authors:

Rachna Dhamija,

J. D. TygarAuthors Info & Claims

SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

Pages 77 - 88

https://doi.org/10.1145/1073001.1073009

Published: 06 July 2005 Publication History

Abstract

Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme.We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields.Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a "skin" that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user's browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match.We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators.

References

[1]

Loftesness, Scott, Responding to "Phishing" Attacks. 2004, Glenbrook Partners, http://www.glenbrook.com/opinions/phishing.htm

[2]

Litan, Avivah, Phishing Attack Victims Likely Targets for Identity Theft, in Gartner First Take FT-22-8873. 2004, Gartner Research

[3]

Anti-Phishing Working Group, Phishing Activity Trends Report March 2005, http://antiphishing.org/APWG_Phishing_Activity_Report_March_2005.pdf

[4]

Ed Felten, D. Balfanz, D. Dean, D. Wallach, Web Spoofing: An Internet Con Game. Proceedings of the 20th Information Security Conference, 1996.

[5]

Bugzilla, Bugzilla Bug 22183 - UI spoofing can cause user to mistake content for chrome (bug reported 12/20/1999, publicly reported 7/21/2004), https://bugzilla.mozilla.org/show_bug.cgi?id=22183

[6]

Rachna Dhamija, J. D. Tygar, Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks. Proceedings of the 2nd International Workshop on Human Interactive Proofs (HIP05), Springer Verlag Lecture Notes in Computer Science, 2005.

Digital Library

[7]

Nathan Good, Rachna Dhamija, Jens Grossklags, David Thaw, Steven Aronowitz, Deirdre Mulligan, Joseph Konstan, Stopping Spyware at the Gate: A User Study of Privacy, Notice and Spyware. Proceedings of the Symposium on Usable Privacy and Security, 2005.

Digital Library

[8]

Alma Whitten, J. D. Tygar, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. Proceedings of the 8th Usenix Security Symposium, 1999.

Digital Library

[9]

Anti-Phishing Working Group, APWG Phishing Archive, http://anti-phishing.org/phishing_archive.htm

[10]

Dhamija, Rachna, Detecting Phishing Attacks: A User Task Analysis. Authentication for Humans: Designing and Evaluating Usable Security Systems. forthcoming.

[11]

Secunia, Internet Explorer URL Spoofing Vulnerability. 2004, http://www.microsoft.com%@secunia.com/advisories/10395/

[12]

Secunia, Multiple Browsers Vulnerable to the IDN Spoofing Vulnerability. 2005, http://secunia.com/multiple_browsers_idn_spoofing_test

[13]

Netcraft, SSL's Credibility as Phishing Defense is Tested. 2004, http://news.netcraft.com/archives/2004/03/08/ssls_credibility_as_phishing_defense_is_tested.html

[14]

Microsoft, Microsoft Security Bulletin MS01-017, in Erroneous Verisign-Issued Digital Certificates Pose Spoofing Hazard. 2001, http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

[15]

Batya Friedman, David Hurley, Daniel Howe, Edward Felten, Helen Nissenbaum, Users' Conceptions of Web Security: A Comparative Study. CHI 2002 Extended Abstracts of the Conference on Human Factors in Computing Systems, 2002: p. 746--747.

Digital Library

[16]

J. D. Tygar, Alma Whitten, WWW Electronic Commerce and Java Trojan Horses. Proceedings of the Second USENIX Workshop on Electronic Commerce, 1996.

Digital Library

[17]

A. Paivio, K. Csapo, Concrete Images and Verbal Memory Codes. Journal of Experimental Psychology, 1969. 80(2): p. 279--285.

[18]

Haber, Ralph Norman, How we remember what we see. Scientific American, 1970. 222(5): p. 104--112.

[19]

Intraub, Helene, Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 1980. 6(1): p. 1--12.

[20]

L. Standing, J. Conezio, R. Haber, Perception and Memory for Pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 1970. 19: p. 73--74.

[21]

Shepard, R., Recognition Memory for Words, Sentences and Pictures. Journal of Verbal Learning and Verbal Behavior, 1967. 6(156--163).

[22]

Rachna Dhamija, Adrian Perrig, Deja Vu: A User Study Using Images for Authentication. Proceedings of the 9th USENIX Security Symposium, 2000.

Digital Library

[23]

PassMark Security, Protecting Your Customers from Phishing Attacks- An Introduction to PassMarks, http://www.passmarksecurity.com/

[24]

Waterken Inc., Waterken YURL Trust Management for Humans, http://www.waterken.com/dev/YURL/Name/

[25]

Visa, Verified by Visa, http://www.visa.com/

[26]

Wu, T., The Secure Remote Password Protocol. Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, San Diego, CA, 1998: p. 97--111.

[27]

Wu, T., SRP-6: Improvements and Refinements to the Secure Remote Password Protocol. 2002: Submission to the IEEE P1363 Working Group

[28]

D. Taylor, T. Wu, N. Mavroyanopoulos, T. Perrin, Using SRP for TLS Authentication draft-ietf-tls-srp-08. 2004, IETF TLS Working Group: http://www.ietf.org/internet-draft/draft-ietf-tls-srp-08.txt

[29]

Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John C. Mitchell, A Browser Plug-in Solution to the Unique Password Problem. Proceedings of the 14th Usenix Security Symposium, 2005.

[30]

Zishuang Ye, Sean Smith, Trusted Paths for Browsers. Proceedings of the 11th Usenix Security Symposium, 2002.

Digital Library

[31]

Adrian Perrig, Dawn Song, Hash Visualization: A New Technique to Improve Real World Security. Proceedings of the International Workshop on Cryptographic Techniques and E-commerce, 1999.

[32]

Bauer, Anrej, Random Art, http://gs2.sp.cs.cmu.edu/art/random/

[33]

Darren Davis, Fabian Monrose, Michael Reiter, On User Choice in Graphical Password Schemes. Proceeding of the 13th Usenix Security Symposium, 2004.

Digital Library

[34]

Pretty Good Privacy (PGP), http://www.pgp.com/

[35]

Verisign, Verisign Secured Seal Program, http://www.verisign.com/products-services/security-services/secured-seal/

[36]

TrustE, http://www.truste.org/

[37]

Amir Herzberg, Ahmad Gbara, TrustBar: Protecting (even Naive) Web Users from Spoofing and Phishing Attacks. 2004: Cryptology ePrint Archive: Report 2004/155

[38]

RSA Security, America Online and RSA Security Launch AOL PassCode Premium Service. 2004, http://www.rsasecurity.com/press_release.asp?doc_id=5033

[39]

RSA Security, Protecting Against Phishing by Implementing Strong Two-Factor Authentication. 2004, https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf

[40]

Pullar-Strecker, Tom, NZ bank adds security online, in The Sydney Morning Herald. November 8, 2004: Wellington.

[41]

eBay, eBay Toolbar, http://pages.ebay.com/ebay_toolbar/

[42]

Neil Chou, Robert Ledesma, Yuka Teraguchi, Dan Boneh, John C. Mitchell, Client Side Defense Against Web-based Identity Theft, http://crypto.stanford.edu/SpoofGuard/#publications

[43]

Core Street, Spoofstick, http://www.corestreet.com/spoofstick/

Cited By

Menges UKluge A(2024)Contrasting and Synergizing CISOs' and Employees' Attitudes, Needs, and Resources for Security Using Personas2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00058(456-472)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00058
Blefari FFurfaro AIanni GViscomi A(2024)Combining Anti-typosquatting TechniquesWeb Engineering10.1007/978-3-031-62362-2_17(246-254)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-62362-2_17
Ribeiro LGuedes ICardoso C(2023)PhishingExploring Cyber Criminals and Data Privacy Measures10.4018/978-1-6684-8422-7.ch005(76-93)Online publication date: 30-Jun-2023
https://doi.org/10.4018/978-1-6684-8422-7.ch005
Show More Cited By

The battle against phishing: Dynamic Security Skins

Recommendations

Do security toolbars actually prevent phishing attacks?
CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems

Security toolbars in a web browser show security-related information about a website to help users detect phishing attacks. Because the toolbars are designed for humans to use, they should be evaluated for usability -- that is, whether these toolbars ...
Phoolproof phishing prevention
FC'06: Proceedings of the 10th international conference on Financial Cryptography and Data Security

Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing reports in August 2005, a 56% jump over the number of reports in December 2004 [3]. For financial institutions, phishing is a ...
Parsing operations based approach towards phishing attacks
ICDEM'10: Proceedings of the Second international conference on Data Engineering and Management

Currently, web attacks are so popular attacks under cyber crime category. Generally phishing attacks, SSL attacks and some other hacking attacks are kept into this category. Security against these attacks is the major issue of internet security.

This ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and security

July 2005

123 pages

ISBN:1595931783

DOI:10.1145/1073001

General Chair:
Lorrie Faith Cranor
Carnegie Mellon University

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 July 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

299
Total Citations
View Citations
4,680
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)10

Reflects downloads up to 04 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Menges UKluge A(2024)Contrasting and Synergizing CISOs' and Employees' Attitudes, Needs, and Resources for Security Using Personas2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00058(456-472)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSPW61312.2024.00058
Blefari FFurfaro AIanni GViscomi A(2024)Combining Anti-typosquatting TechniquesWeb Engineering10.1007/978-3-031-62362-2_17(246-254)Online publication date: 16-Jun-2024
https://doi.org/10.1007/978-3-031-62362-2_17
Ribeiro LGuedes ICardoso C(2023)PhishingExploring Cyber Criminals and Data Privacy Measures10.4018/978-1-6684-8422-7.ch005(76-93)Online publication date: 30-Jun-2023
https://doi.org/10.4018/978-1-6684-8422-7.ch005
Shukla AChavan SR S(2023)Spear Watch: A Thorough Examination to Identify Spear Phishing AttacksInternational Journal of Innovative Technology and Exploring Engineering10.35940/ijitee.H9680.071282312:8(46-51)Online publication date: 30-Jul-2023
https://doi.org/10.35940/ijitee.H9680.0712823
Gupta ATomar AGupta VMishra SShukla ATiwari H(2023)Phishing Attacks Isolation via DNS Prevention of 64-Bit Time Synchronized Public Key2023 IEEE International Conference on Blockchain and Distributed Systems Security (ICBDS)10.1109/ICBDS58040.2023.10346289(1-6)Online publication date: 6-Oct-2023
https://doi.org/10.1109/ICBDS58040.2023.10346289
Bhattacharya TVeeramalla STanniru V(2023)A Survey on Retrieving Confidential Data Using Phishing Attack2023 Congress in Computer Science, Computer Engineering, & Applied Computing (CSCE)10.1109/CSCE60160.2023.00406(2528-2535)Online publication date: 24-Jul-2023
https://doi.org/10.1109/CSCE60160.2023.00406
Alsenani TAyon SYousuf SAnik FChowdhury M(2023)Intelligent feature selection model based on particle swarm optimization to detect phishing websitesMultimedia Tools and Applications10.1007/s11042-023-15399-682:29(44943-44975)Online publication date: 24-Apr-2023
https://doi.org/10.1007/s11042-023-15399-6
Kumar RKumar RSahu RPatra RGhosh A(2023)Detection of Phishing Websites Using Machine LearningSoft Computing and Signal Processing10.1007/978-981-19-8669-7_29(317-330)Online publication date: 27-Jun-2023
https://doi.org/10.1007/978-981-19-8669-7_29
Gautam VTiwari RJain AAgarwal A(2022)Research Pattern of Internet of Things and its Impact on Cyber Security2022 11th International Conference on System Modeling & Advancement in Research Trends (SMART)10.1109/SMART55829.2022.10047482(260-263)Online publication date: 16-Dec-2022
https://doi.org/10.1109/SMART55829.2022.10047482
Mohammed MPrasanth KSai Subhash S(2022)Phishing Detection Using Machine Learning Algorithms2022 4th International Conference on Smart Systems and Inventive Technology (ICSSIT)10.1109/ICSSIT53264.2022.9716269(921-924)Online publication date: 20-Jan-2022
https://doi.org/10.1109/ICSSIT53264.2022.9716269
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents