Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2007: Financial Cryptography and Data Security pp 281–293Cite as

An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4886))

Abstract

In this usability study of phishing attacks and browser anti-phishing defenses, 27 users each classified 12 web sites as fraudulent or legitimate. By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-3-540-77366-5_37

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web Spoofing: An Internet Con Game. In: 20th National Information Systems Security Conference (October 1997)

    Google Scholar 

  2. Anti-phishing working group: http://www.antiphishing.org

  3. Loftesness, S.: Responding to ”Phishing” Attacks” (2004), http://www.glenbrook.com/opinions/phishing.htm

  4. Franco, R.: Better Website Identification and Extended Validation Certificates in IE and Other Browsers, IEBlog (November 2005)

    Google Scholar 

  5. Gabrilovich, E., Gontmakher, A.: The Homograph Attack. The Homograph Attack 45(2) (2002)

    Google Scholar 

  6. Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.: Client-side defense against web-based identity theft. In: NDSS. Proceedings of Network and Distributed Systems Security (2004)

    Google Scholar 

  7. Google, Inc.: Google safe browsing for firefox (2006), http://www.google.com/tools/firefox/safebrowsing/

  8. Netcraft: Netcraft Anti-Phishing Toolbar (2006), http://toolbar.netcraft.com/

  9. GeoTrust, Inc.: TrustWatch Toolbar (2006), http://toolbar.trustwatch.com/

  10. Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phinding Phish: Evaluating Anti-Phishing Tools. In: NDSS. Proceedings of the 14th Annual Network and Distributed System Security Symposium (2007)

    Google Scholar 

  11. Whalen, T., Inkpen, K.M.: Gathering evidence: Use of visual security cues in web browsers. In: GI 2005. Proceedings of the 2005 conference on Graphics interface, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp. 137–144. Canadian Human-Computer Communications Society (2005)

    Google Scholar 

  12. Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: Proc. CHI. (2006)

    Google Scholar 

  13. Netcraft: Cardholders targetted by Phishing attack using visa-secure.com (October 2004), http://news.netcraft.com/

  14. Inc., V.: VeriSign Certification Practice Statement (November 2006), http://www.verisign.com/repository/CPS/VeriSignCPSv3.3.pdf

  15. Whitten, A., Tygar, J.: Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In: 8th Usenix Security Symposium, pp. 169–184 (1999)

    Google Scholar 

  16. Wu, M., Miller, R., Garfinkel, S.: Do Security Toolbars Actually Prevent Phishing Attacks? In: Proc. CHI. (2006)

    Google Scholar 

  17. Passmark, http://www.passmarksecurity.com

  18. Ye, Z.E., Smith, S., Anthony, D.: Trusted Paths for Browsers. ACM Transactions on Information and System Security 8(2), 153–186 (2005)

    Article  Google Scholar 

  19. Dhamija, R., Tygar, J.: The Battle Against Phishing: Dynamic Security Skins. In: SOUPS 2005. Proceedings of the Symposium on Usable Privacy and Security (2005)

    Google Scholar 

  20. Dierks, T., Allen, C.: The TLS Protocol — Version 1.0. IETF RFC 2246 (January 1999)

    Google Scholar 

  21. Parno, B., Kuo, C., Perrig, A.: Authentication and Fraud Detection: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, Springer, Heidelberg (2006)

    Google Scholar 

  22. Chappell, D.: Introducing Windows CardSpace (2006), http://msdn2.microsoft.com/en-us/library/aa480189.aspx

  23. Halderman, J.A., Waters, B., Felten, E.: A convenient method for securely managing passwords. In: WWW 2005. Proceedings of the 14th International World Wide Web Conference (2005)

    Google Scholar 

  24. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.: Stronger Password Authentication Using Browser Extensions. In: Proceedings of the 14th Usenix Security Symposium (2005)

    Google Scholar 

  25. Yee, K., Sitaker, K.: Passpet: Convenient password management and phishing protection. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 32–43. ACM Press, New York (2006)

    Google Scholar 

  26. Wu, M., Miller, R.C., Little, G.: Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In: SOUPS 2006. Proceedings of the Symposium on Usable Privacy and Security (2006)

    Google Scholar 

  27. Chiasson, S., van Oorschot, P., Biddle, R.: A Usability Study and Critique of Two Password Managers. In: Proc. 15th USENIX Security Symposium (2006)

    Google Scholar 

  28. Juels, A., Jakobsson, M., Stamm, S.: Active Cookies for Browser Authentication. In: NDSS. Proceedings of the 14th Annual Network and Distributed System Security Symposium (2007)

    Google Scholar 

  29. Fu, A.Y., Deng, X., Wenyin, L., Little, G.: The methodology and an application to fight against unicode attacks. In: SOUPS 2006. Proceedings of the second symposium on Usable privacy and security, pp. 91–101. ACM Press, New York (2006)

    Google Scholar 

  30. Nielsen, J.: The top ten web design mistakes of 1999 (May 1999), http://www.useit.com/alertbox/990530.html

Download references

Author information

Authors and Affiliations

  1. Stanford University, Stanford, CA

    Collin Jackson & Adam Barth

  2. Microsoft Research, Redmond, WA

    Daniel R. Simon & Desney S. Tan

Authors
  1. Collin Jackson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel R. Simon
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Desney S. Tan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Adam Barth
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Software Engineering Institute, Carnegie Mellon University, 4500 Fifth Avenue, 15213, Pittsburgh, PA, USA

    Sven Dietrich

  2. CRCS DEAS, Harvard University, Maxwell Dworkin 110, 33 Oxford Street, 02138, Cambridge, MA, USA

    Rachna Dhamija

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Jackson, C., Simon, D.R., Tan, D.S., Barth, A. (2007). An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks. In: Dietrich, S., Dhamija, R. (eds) Financial Cryptography and Data Security. FC 2007. Lecture Notes in Computer Science, vol 4886. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77366-5_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-77366-5_27

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-77365-8

  • Online ISBN: 978-3-540-77366-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation