Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson...
Transcript of Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson...
Users Are Not DependableHow to make security indicators
that protect them better
Min Wu, Simson Garfinkel, Robert Miller
MIT Computer Science and Artificial Intelligence Lab
User Is Part Of System
• “Weakest link” in operational security systems
• If attackers can easily trick users into compromising their security, they do not have to try hard to directly attack the system.
• A typical attack: Phishing
Security Indicators
• “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”
Security Indicators
• “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”
More Security Indicators
More Security Indicators
Spoofstick
More Security Indicators
NetcraftToolbar
More Security Indicators
Trustbar
More Security Indicators
eBay AccountGuard
More Security Indicators
Spoofguard
Outline
Introduction of security indicatorsAnti-phishing user study
• Web authentication using cell phones
• Conclusions
Security Toolbar Abstractions
SpoofStick
Netcraft Toolbar
eBay Account Guard
SpoofGuard
Neutral-Information Toolbar
System-Decision Toolbar
Positive-Information ToolbarTrustBar
Study Scenario
• We set up dummy accounts as John Smith at various websites
• “You are the personal assistant of John Smith. John is on vacation now. During his vacation, he sometimes sends you emails asking you to do some tasks for him online.”
• “Here is John Smith’s profile.”
Study Scenario
• Users dealt with 20 emails forwarded by John Smith.
• 5 emails were phishing emails.• Most of the emails were about managing
John’s wish lists at various sites
Main Frame
Address bar frame
http://tigermail.co.kr/cgi-bin/webscrcmd_login.php
Toolbar frame
Status bar frame
Attack Types
1. Similar-name attack
2. IP-address attack
3. Hijacked-server attack
4. Popup-window attack
5. Paypal attack
bestbuy.com www.bestbuy.com.ww2.us
bestbuy.com 212.85.153.6
bestbuy.com www.btinternet.com
Security Toolbar Display
Legitimate Site Phishing Sitevs.
Attack Pattern
Paypal attack
Tutorial email
1-9
12-20
11
10
Recruitment
• 30 users– Recruited at MIT, paid $15 for one hour– 10 for each toolbar
– Average age 27 [18-50]– 14 females and 16 males– 20 MIT students, 10 not
Neutral-InformationToolbar
System-Decision Toolbar
Positive-Information Toolbar
Spoof Rates With Different Toolbars
40%
54%
28%32%
39%
33%30%
35%
13%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Total Before tutorial After tutorial
Sp
oo
f R
ate
Neutral-Information toolbar
Positive-Information toolbar
System-Decision toolbar
Spoof Rates With Different Attacks
p = 0.052 (ANOVA)
17%
28%
33%
43%
50%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Paypal Attack Popup-window Attack IP-address Attack Hijacked-server Attack Similar-name Attack
Sp
oo
f R
ate
Why Did Users Get Fooled?
• 20 out of 30 got fooled by at least one attack. Among the 20 users– 17 (85%) claimed web content is
professional or familiar; 7 (35%) depended on security-related content
– 12 (60%) explained away odd behaviors• “I have been to sites that use plain IP
addresses.”• “Sometimes I go to a website, and it directs me
to another site with a different address.”• “Yahoo may have just opened a branch in
Brazil and thus registered there.”• “I must have mistakenly triggered the popup
window.”
Results
• Users did not rely on security indicators – Depended on web content instead– Cannot distinguish poorly designed
websites from malicious phishing attacks
Outline
Introduction of security indicatorsAnti-phishing user studyWeb authentication using cell
phones• Authentication protocol• User study• An improved protocol
• Conclusions
Authentication Using Cell Phones
• Prevent people’s passwords from being captured by public computers
• Use trusted cell phone to authenticate login sessions from untrusted public computers
• Checking security indicator is part of the authentication protocol
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Login attempt
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Login attempt “This login session is named ‘FAITH’.”
“FAITH”
“Do you approve login sessionnamed ‘FAITH’?”
“FAITH”
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Login attempt “This login session is named ‘FAITH’.”
“FAITH”
“Do you approve login sessionnamed ‘FAITH’?”
“FAITH”
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Login attempt “This login session is named ‘FAITH’.”
“FAITH”
“Do you approve login sessionnamed ‘FAITH’?”
“FAITH”
“I approve ‘FAITH’.”
Authentication Protocol
User
Internet Kiosk(possible hostile)
Cell Phone(trusted)
Security Proxy(trusted)
Remote Service
Login attempt “This login session is named ‘FAITH’.”
“FAITH”
“Do you approve login sessionnamed ‘FAITH’?”
“FAITH”
Log in
“I approve ‘FAITH’.”
User Interface
menu
Session: FAITH
1 [Approve it]2 [Cancel it]3 [Lock Account]
Submit Cancel
Attack Types
• Duplicated attack • Blocking attack
User Study
• Log in to Amazon.com with a personal computer and a cell phone
• 6 logins in a row
• Attacks were randomly selected and assigned to the 5th or the 6th login
• 20 users– Recruited at MIT, paid $10 for one hour– Average age 25 [18 - 43]– 9 females and 11 males– 16 MIT students, 4 not
Results
• Duplicated attack: 36% (4 successful out of 11 attacks)– “There must be a bug in the proxy since the
session name displayed in the computer does not match the one in the cell phone.”
• Blocking attack: 22% (2 successful out of 9 attacks)– “The network connection must be really slow since
the session name has not been displayed.”
• Users failed to follow the protocol– Cannot distinguish system failures from malicious
attacks
An Improved Protocol
menu
Choose the same session name as shown in the browser1 [None of them]2 [COURTESY]3 [INHERITS]4 [FAITH]5 [OBJECT]
Submit Cancel
Thanks to Steve Strassmanfrom Orange™
Under Attacks
• Duplicated Attack • Blocking attack
Results
• Login by choosing a correct session name has zero spoof rate!– 9 duplicated attacks and 11 blocking
attacks– There was little chance that the attacker’s
list included the user’s session name in the browser
– Users were forced to attend to the security indicator
Conclusions
• Security indicator checking scheme fails– Users ignore advice (34% spoof rate)– Users do not follow instructions (30% spoof rate)– Users cannot distinguish “bugs” from “attacks”– Security indicator is not part of the user’s “critical
action sequence”
menu
Session: FAITH
1 [Approve it]2 [Cancel it]3 [Lock Account]
Submit Cancel
Lesson Learned
• Moving the security indicator into the critical action sequence can better protect users
menu
Choose the same session name as shown in the browser1 [None of them]2 [COURTESY]3 [INHERITS]4 [FAITH]5 [OBJECT]
Submit Cancel
Users Cared About Security
• 18 out of 30 uncheck “remember me”
• 13 out of 30 logged out (or tried to) after at least one task
Legitimate Site Phishing Site