The Battle Against Phishing: Dynamic Security Skins (2005) [49 citations — 3 self]

Download:
pdf

by Rachna Dhamija

In SOUPS ’05: Proceedings of the 2005 symposium on Usable privacy and security

http://www.sims.berkeley.edu/~rachna/papers/securityskins.pdf

Add To MetaCart

Popular Tags

No tags have been applied to this document.

BibTeX | Add To MetaCart

@INPROCEEDINGS{Dhamija05thebattle,
    author = {Rachna Dhamija},
    title = {The Battle Against Phishing: Dynamic Security Skins},
    booktitle = {In SOUPS ’05: Proceedings of the 2005 symposium on Usable privacy and security},
    year = {2005},
    pages = {77--88},
    publisher = {ACM Press}
}

Abstract:

Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users. We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We describe the design of an extension to the Mozilla Firefox browser that implements this scheme. We present two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This image creates a “skin ” that automatically customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the user’s browser to independently compute the image that it expects to receive from the server. To authenticate content from the server, the user can visually verify that the images match. We contrast our work with existing anti-phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himself, the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the user only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators. 1.

Citations

156	Why Johnny Can’t Encrypt: A Usability Evaluation – Whitten, Tygar - 1999
129	The Secure Remote Password Protocol – Wu - 1998
60	Web Spoofing: An Internet Con Game – Felten, Balfanz, et al. - 1997
45	Recognition memory for words, sentences, and pictures – Shepard - 1967
42	Déjà Vu: A User Study Using Images for Authentication – Dhamija, Perrig - 2000
37	S.: Trusted Paths for Browsers – Ye, Smith
36	Hash Visualization: A New Technique to Improve Real-World Security – Perrig, Song - 1999
24	TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Draft of November 11, 2004; forthcoming – Herzberg, Gbara
20	WWW Electronic Commerce and Java Trojan Horses – Tyger, Whitten - 1996
19	On user choice in graphical password schemes – Davis, Monrose, et al. - 2004
18	Perception and memory for pictures: Singletrial learning of 2500 visual stimuli – Standing, Conezio, et al. - 1970
16	Users’ conceptions of web security: a comparative study – Friedman, Hurley, et al. - 2002
11	Phish and hips: Human interactive proofs to detect phishing attacks – Dhamija, Tygar - 2005
10	Presentation rate and the representation of briefly glimpsed pictures in memory – Intraub - 1980
10	A browser plug-in solution to the unique password problem – Ross, Jackson, et al. - 2005
9	Phishing Attack Victims Likely Targets for Identity Theft, Gartner FirstTake FT-22-8873 – Litan - 2004
7	How we remember what we see – Haber - 1970
7	SRP6: Improvements and refinements to the secure remote password protocol,” Unpublished document – Wu - 2002
6	Security Bulletin MS01-017: Erroneous VeriSign-Issued Digital Certificates Pose Spoofing – Microsoft - 2001
5	Protecting Your Customers from Phishing Attacks- An Introduction to PassMarks, http://www.passmarksecurity.com – Security - 2005
4	C.: Client Side Defense Against Web-based Identity Theft. http://crypto.stanford.edu/SpoofGuard/#publications – Chou, Ledesma, et al. - 2004
3	Stopping Spyware at the Gate: A User Study – Good - 2005
3	Internet Explorer URL Spoofing Vulnerability – Secunia - 2004
3	Multiple Browsers Vulnerable to the IDN Spoofing Vulnerability – Secunia - 2005
2	Concrete Images and Verbal Memory Codes – Paivio, Csapo - 1969
2	Protecting Against Phishing by Implementing Strong Two-Factor Authentication – Security
1	Responding to "Phishing" Attacks – Loftesness
1	Bug 22183 - UI spoofing can cause user to mistake content for chrome (bug reported 12/20/1999, publicly reported 7/21/2004 – Bugzilla
1	Detecting Phishing Attacks: A User Task Analysis. Authentication for Humans: Designing and Evaluating Usable Security Systems. forthcoming – Dhamija
1	SSL's Credibility as Phishing Defense is Tested – Netcraft
1	Verified by Visa, http://www.visa.com – Visa
1	NZ bank adds security online, in The Sydney Morning Herald. November 8 – Pullar-Strecker

View or Download | Add to My Collection | Correct Errors