Abstract
We describe a novel approach to reduce the impact of spoofing by a subtle change in the login process. At the heart of our contribution is the understanding that current anti-spoof technologies fail largely as a result of the difficulties to communicate security and risk to typical users. Accordingly, our solution is oblivious to whether the user was tricked by a fraudster or not. We achieve that by modifying the user login process, and letting the browser or operating system cause different results of user login requests, based on whether the site is trusted or not. Experimental results indicate that our new approach, which we dub “SpoofKiller”, will address approximately 80% of spoofing attempts.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It is against the terms of service of Amazon to ask a user to install a piece of software. While we used the payment methods associated with Amazon Mechanical Turk to pay participants, we did not use their services to recruit participants, and so, did not break the terms of service. These users had voluntarily provided contact information in previous interactions, and were contacted in this manner to ask whether they would like to participate.
References
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-side defense against web-based identity theft (2004)
Daniel, P.: Android users demographics, 19 November 2010. http://www.phonearena.com/news/Android-users-demographics_id14786/
Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005. ACM, New York, pp. 77–88 (2005)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors Incomputing Systems, CHI 2006. ACM, New York, pp. 581–590 (2006)
Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web spoofing: an internet con game. Technical report 540-96, Department of Computer Science, Princeton University, February 1997. http://www.cs.princeton.edu/sip/pub/spoofing.pdf
Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007. ACM, New York, pp. 649–656 (2007)
Fulcher, E.: Cognitive psychology (2003). http://www.eamonfulcher.com/CogPsych/page5.htm
Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM 2007. ACM, New York, pp. 1–8 (2007)
Garfinkel, S.L., Miller, R.C.: Johnny 2: a user test of key continuity management with s/mime and outlook express. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005. ACM, New York, pp. 13–24 (2005)
Goldberg, I.: e-gold stomps on phishing?, July 2004. http://www.financialcryptography.com/mt/archives/000190.html
Herzberg, A.: Why Johnny can’t surf (safely)? attacks and defenses for web users. Comput. Secur. 28(1–2), 63–71 (2009)
Herzberg, A., Gbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155 (2004)
Ivan Petrovich Pavlov, G.V.A.: Conditioned reflexes : an investigation of the physiological activity of the cerebral cortex. Dover Publications, September 2003
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web. ACM, New York, pp. 513–522 (2006)
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.: What instills trust? a qualitative study of phishing. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 356–361. Springer, Heidelberg (2007)
Kirlappos, I., Sasse, M.A.: Security education against phishing: a modest proposal for a major re-think. IEEE Secur. Priv. 10(2), 24–32 (2011)
Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L.F., Hong, J.: Getting users to pay attention to anti-phishing education: evaluationof retention and transfer. In: Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit, eCrime 2007. ACM, New York, pp. 70–81 (2007)
McCune, J.M., Perrig, A., Reiter, M.K.: Seeing is believing; using camera phones for human verifiable authentication. Int. J. Secur. Netw. 4, 43–56 (2009)
Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The mechanics of trust: a framework for research and design. Int. J. Hum.-Comput. Stud. 62, 381–422 (2005)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley, vol. 14, p. 2 (2005)
Srikwan, S., Jakobsson, M.: Using cartoons to teach Internet security. Cryptologia 32(2), 137–154 (2008)
Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54, 70–75 (2011)
Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 2010. ACM, New York, pp. 11:1–11:16 (2010)
Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface 2005, GI 2005, School of Computer Science, University of Waterloo. Canadian Human-Computer Communications Society, Waterloo, Ontario, Canada, pp. 137–144 (2005)
Woolston, L.: Mobclix index: android marketplace, 17 November 2010. http://blog.mobclix.com/2010/11/17/mobclix-index-android-marketplace/
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors Incomputing Systems, CHI 2006. ACM, New York, pp. 601–610 (2006)
Wu, M., Miller, R.C., Little, G.: Web wallet: preventing phishing attacks by revealing user intentions. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006. ACM, New York, pp. 102–113 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Jakobsson, M., Siadati, H. (2016). SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention . In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_13
Download citation
DOI: https://doi.org/10.1007/978-3-662-49301-4_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49300-7
Online ISBN: 978-3-662-49301-4
eBook Packages: Computer ScienceComputer Science (R0)