Part of the book series:Lecture Notes in Computer Science ((LNSC,volume 6879))
Included in the following conference series:
3090Accesses
Abstract
We present the results of the first long-term user study of site-based login mechanisms which force and train users to login safely. We found that interactive site-identifying images received 70% detection rates, which issignificantly better than passive indicators’ results [15,8,12]. We also found that login bookmarks, when used together with ‘non-working’ links, doubled the prevention rates of reaching spoofed login pages in the first place. Combining these mechanism provideseffective prevention and detection of phishing attacks, and when several images are displayed in the login page, the best detection rates (82%) and overall resistance rates (93%) are achieved. We also introduce the notion ofnegative training functions, which train users not to take dangerous actions by experiencing failure when taking them.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aaron, G., Rasmussen, R.: Global Phishing Survey: Trends and Domain Name Use in 2H2009. Anti-Phishing Working Group (May 2010),http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf
Adida, B.: Beamauth: two-factor web authentication with a bookmark. In: CCS 2007: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 48–57. ACM, New York (2007)
Sitekey Bank of America,http://www.bankofamerica.com/privacy/index.cfm?template=sitekey
Cialdini, R.: Influence: Science and Practice, 5th edn. Allyn and Bacon, Boston (2008)
Dhamija, R., Tygar, J.D.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM Press, New York (2006)
Dvorkin, A.: Evaluation of the Tools for User Protection against Web Site and Electronic Mail Based Attacks. Master’s thesis, Bar-Ilan University (December 2008)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: CHI 2008: Proceeding of the Twenty-sixth Annual SIGCHI Conference on Human Factors in Computing Systems, pp. 1065–1074. ACM, New York (2008)
Herzberg, A.: Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security (2008)
Herzberg, A., Jbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Techn. 8(4) (2008)
Herzberg, A., Margulies, R.: Long-term user study of forcing and training login mechanisms against phishing. Tech. rep., Bar Ilan University (March 2011),http://submit2.cs.biu.ac.il/WAPP/WAPP_primary.pdf
Karlof, C., Tygar, J.D., Wagner, D.: Conditioned-safe ceremonies and a user study of an application to web authentication. In: SOUPS 2009: Proceedings of the 5th Symposium on Usable Privacy and Security (2009)
Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: SP 2007: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pp. 51–65. IEEE Computer Society, Washington, DC, USA (2007)
Schechter, S., Egelman, S., Reeder, R.W.: It’s not what you know, but who you know: a social approach to last-resort authentication. In: CHI 2009: Proceedings of the 27th International Conference on Human Factors in Computing Systems, pp. 1983–1992. ACM, New York (2009)
Sotirakopoulos, A., Hawkey, K., Beznosov, K.: “i did it because i trusted you”: Challenges with the study environment biasing participant behaviours. In: SOUPS User Workshop (2010)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI 2006: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 601–610. ACM, New York (2006)
Better website identification and extended validation certificates in ie7 and other browsers (November 2005), published in Microsoft Developer Network’s IEBloghttp://blogs.msdn.com/b/ie/archive/2005/11/21/495507.aspx
Yahoo: What is a sign-in seal?,http://security.yahoo.com/article.html?aid=2006102507
Yee, K.-P., Sitaker, K.: Passpet: convenient password management and phishing protection. In: SOUPS 2006: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 32–43. ACM, New York (2006)
Gartner survey shows phishing attacks escalated in 2007 more than $3 billion lost to these attacks (2007),http://www.gartner.com/it/page.jsp?id=565125
Gartner says number of phishing attacks on u.s. consumers increased 40 percent in 2008 (2008),http://www.gartner.com/it/page.jsp?id=565125
Mcafee siteadvisor (2009),http://www.siteadvisor.com/
Author information
Authors and Affiliations
Dept. of Computer Science, Bar Ilan University, Israel
Amir Herzberg & Ronen Margulies
- Amir Herzberg
You can also search for this author inPubMed Google Scholar
- Ronen Margulies
You can also search for this author inPubMed Google Scholar
Editor information
Editors and Affiliations
MSIS Department and CIMIC, Rutgers University, Washington Park 1, 07102, Newark, NJ, USA
Vijay Atluri
K.U. Leuven ESAT-COSIC, Kasteelpark Arenberg 10, 3001, Leuven-Heverlee, Belgium
Claudia Diaz
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Herzberg, A., Margulies, R. (2011). Forcing Johnny to Login Safely. In: Atluri, V., Diaz, C. (eds) Computer Security – ESORICS 2011. ESORICS 2011. Lecture Notes in Computer Science, vol 6879. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23822-2_25
Download citation
Publisher Name:Springer, Berlin, Heidelberg
Print ISBN:978-3-642-23821-5
Online ISBN:978-3-642-23822-2
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative