Speaker: Rachna Dhamija, Harvard University
Title: Security Skins: The Design and Evaluation of Unspoofable, Embedded Security Indicators
Abstract:
I will present empirical evidence about phishing attack strategies
that are successful at deceiving general users. We conducted a
usability study in which 22 participants were shown 20 web sites and
asked to determine which ones were fraudulent. The best phishing
sites fooled 90% of participants. We found that 23% of the
participants did not look at browser-based cues such as the address
bar, status bar and the security indicators, leading to incorrect
choices 40% of the time. We also found that some visual deception
attacks can fool even the most sophisticated users. These results
illustrate that standard security indicators are not effective for a
substantial fraction of users, and suggest that alternative
approaches are needed.
Next, I will introduce a new scheme, Security Skins, that allows browsers and remote web servers to present security information in a way that is easy for a human user to verify and hard for an attacker to spoof. The Security Skins browser extension uses two novel interaction techniques to prevent spoofing. First, it uses a user- customized secret to create a trusted path between the user and the browser. Next, security indicators appear at the locus of users' attention, embedded within the webpage and form elements, rather than in the periphery of the browser. I will present the results of a usability study that demonstrates the effectiveness of these techniques in reducing vulnerability to phishing attacks.
Biography:
Rachna Dhamija is a Postdoctoral Fellow at the Center for
Research on Computation and Society at Harvard University. Her
research interests span the fields of computer security, human
computer interaction and information policy. She received a Ph.D.
from the School of Information Management and Systems at U.C.
Berkeley in 2005. Her thesis focused on the design and evaluation
of usable security systems. Previously, she worked on electronic
payment system privacy and security at CyberCash.