Speaker: Rachna Dhamija, Harvard University
Title: Security Skins: The Design and Evaluation of Unspoofable, Embedded Security Indicators
I will present empirical evidence about phishing attack strategies that are successful at deceiving general users. We conducted a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. The best phishing sites fooled 90% of participants. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.
Next, I will introduce a new scheme, Security Skins, that allows browsers and remote web servers to present security information in a way that is easy for a human user to verify and hard for an attacker to spoof. The Security Skins browser extension uses two novel interaction techniques to prevent spoofing. First, it uses a user- customized secret to create a trusted path between the user and the browser. Next, security indicators appear at the locus of users' attention, embedded within the webpage and form elements, rather than in the periphery of the browser. I will present the results of a usability study that demonstrates the effectiveness of these techniques in reducing vulnerability to phishing attacks.
Rachna Dhamija is a Postdoctoral Fellow at the Center for Research on Computation and Society at Harvard University. Her research interests span the fields of computer security, human computer interaction and information policy. She received a Ph.D. from the School of Information Management and Systems at U.C. Berkeley in 2005. Her thesis focused on the design and evaluation of usable security systems. Previously, she worked on electronic payment system privacy and security at CyberCash.