Users are not dependable how to make security indicators that protect them better
Download
1 / 45

Users Are Not Dependable How to make security indicators that protect them better - PowerPoint PPT Presentation


  • 86 Views
  • Uploaded on

Users Are Not Dependable How to make security indicators that protect them better. Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab. User Is Part Of System. “ Weakest link ” in operational security systems

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Users Are Not Dependable How to make security indicators that protect them better' - yul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Users are not dependable how to make security indicators that protect them better l.jpg

Users Are Not DependableHow to make security indicators that protect them better

Min Wu, Simson Garfinkel, Robert Miller

MIT Computer Science and Artificial Intelligence Lab


User is part of system l.jpg
User Is Part Of System

  • “Weakest link” in operational security systems

  • If attackers can easily trick users into compromising their security, they do not have to try hard to directly attack the system.

  • A typical attack: Phishing


Security indicators l.jpg
Security Indicators

  • “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”


Security indicators4 l.jpg
Security Indicators

  • “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”




More security indicators7 l.jpg
More Security Indicators

Netcraft

Toolbar



More security indicators9 l.jpg
More Security Indicators

eBay

Account

Guard



Outline l.jpg
Outline

  • Introduction of security indicators

  • Anti-phishing user study

  • Web authentication using cell phones

  • Conclusions


Security toolbar abstractions l.jpg
Security Toolbar Abstractions

SpoofStick

Neutral-Information Toolbar

Netcraft Toolbar

eBay Account Guard

System-Decision Toolbar

SpoofGuard

Positive-Information Toolbar

TrustBar


Study scenario l.jpg
Study Scenario

  • We set up dummy accounts as John Smith at various websites

  • “You are the personal assistant of John Smith. John is on vacation now. During his vacation, he sometimes sends you emails asking you to do some tasks for him online.”

  • “Here is John Smith’s profile.”


Study scenario14 l.jpg
Study Scenario

  • Users dealt with 20 emails forwarded by John Smith.

  • 5 emails were phishing emails.

  • Most of the emails were about managing John’s wish lists at various sites



Slide17 l.jpg

Address bar frame

http://tigermail.co.kr/cgi-bin/webscrcmd_login.php


Slide18 l.jpg

Toolbar frame

Status bar frame


Attack types l.jpg
Attack Types

1. Similar-name attack

2. IP-address attack

3. Hijacked-server attack

4. Popup-window attack

5. Paypal attack

bestbuy.com  www.bestbuy.com.ww2.us

bestbuy.com  212.85.153.6

bestbuy.com  www.btinternet.com


Security toolbar display l.jpg
Security Toolbar Display

vs.

Legitimate Site

Phishing Site



Recruitment l.jpg
Recruitment

  • 30 users

    • Recruited at MIT, paid $15 for one hour

    • 10 for each toolbar

    • Average age 27 [18-50]

    • 14 females and 16 males

    • 20 MIT students, 10 not

Neutral-Information

Toolbar

System-Decision Toolbar

Positive-Information Toolbar




Why did users get fooled l.jpg
Why Did Users Get Fooled?

  • 20 out of 30 got fooled by at least one attack. Among the 20 users

    • 17 (85%) claimed web content is professional or familiar; 7 (35%) depended on security-related content

    • 12 (60%) explained away odd behaviors

      • “I have been to sites that use plain IP addresses.”

      • “Sometimes I go to a website, and it directs me to another site with a different address.”

      • “Yahoo may have just opened a branch in Brazil and thus registered there.”

      • “I must have mistakenly triggered the popup window.”


Results l.jpg
Results

  • Users did not rely on security indicators

    • Depended on web content instead

    • Cannot distinguish poorly designed websites from malicious phishing attacks


Outline27 l.jpg
Outline

  • Introduction of security indicators

  • Anti-phishing user study

  • Web authentication using cell phones

    • Authentication protocol

    • User study

    • An improved protocol

  • Conclusions


Authentication using cell phones l.jpg
Authentication Using Cell Phones

  • Prevent people’s passwords from being captured by public computers

  • Use trusted cell phone to authenticate login sessions from untrusted public computers

  • Checking security indicator is part of the authentication protocol




Authentication protocol31 l.jpg
Authentication Protocol

“FAITH”

Login attempt

“This login session is named ‘FAITH’.”

“Do you approve login session

named ‘FAITH’?”

“FAITH”


Authentication protocol32 l.jpg
Authentication Protocol

“FAITH”

Login attempt

“This login session is named ‘FAITH’.”

“Do you approve login session

named ‘FAITH’?”

“FAITH”


Authentication protocol33 l.jpg
Authentication Protocol

“FAITH”

Login attempt

“This login session is named ‘FAITH’.”

“Do you approve login session

named ‘FAITH’?”

“I approve ‘FAITH’.”

“FAITH”


Authentication protocol34 l.jpg
Authentication Protocol

“FAITH”

Login attempt

“This login session is named ‘FAITH’.”

Log in

“Do you approve login session

named ‘FAITH’?”

“I approve ‘FAITH’.”

“FAITH”



Attack types36 l.jpg

Duplicated attack

Blocking attack

Attack Types


User study l.jpg
User Study

  • Log in to Amazon.com with a personal computer and a cell phone

  • 6 logins in a row

  • Attacks were randomly selected and assigned to the 5th or the 6th login

  • 20 users

    • Recruited at MIT, paid $10 for one hour

    • Average age 25 [18 - 43]

    • 9 females and 11 males

    • 16 MIT students, 4 not


Results38 l.jpg
Results

  • Duplicated attack: 36% (4 successful out of 11 attacks)

    • “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the cell phone.”

  • Blocking attack: 22% (2 successful out of 9 attacks)

    • “The network connection must be really slow since the session name has not been displayed.”

  • Users failed to follow the protocol

    • Cannot distinguish system failures from malicious attacks


An improved protocol l.jpg
An Improved Protocol

Thanks to Steve Strassman

from Orange™


Under attacks l.jpg

Duplicated Attack

Blocking attack

Under Attacks


Results41 l.jpg
Results

  • Login by choosing a correct session name has zero spoof rate!

    • 9 duplicated attacks and 11 blocking attacks

    • There was little chance that the attacker’s list included the user’s session name in the browser

    • Users were forced to attend to the security indicator


Conclusions l.jpg
Conclusions

  • Security indicator checking scheme fails

    • Users ignore advice (34% spoof rate)

    • Users do not follow instructions (30% spoof rate)

    • Users cannot distinguish “bugs” from “attacks”

    • Security indicator is not part of the user’s “critical action sequence”


Lesson learned l.jpg
Lesson Learned

  • Moving the security indicator into the critical action sequence can better protect users


Users cared about security l.jpg
Users Cared About Security

  • 18 out of 30 uncheck “remember me”

  • 13 out of 30 logged out (or tried to) after at least one task


Slide45 l.jpg

Legitimate Site

Phishing Site