Phishing

markus.jakobsson@parc.com
Conventional Aspects of Security
• Computational assumptions
– E.g., existence of a one-way function, RSA assumption,
Decision Diffie-Hellman
• Adversarial model
– E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals
• Verification methods
– Cryptographic reductions to assumptions, BAN logic
• Implementation aspects
– E.g., will the communication protocol leak information that
is considered secret in the application layer?
The human factor of security

Deceit Neglect

Configuration
The human factor: configuration
Weak passwords
With Tsow, Yang, Wetzel: “Warkitting: the Drive-by
Subversion of Wireless Home Routers”
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)

ele ss d ate
Wir are up wardriving
w rootkitting
firm

Shows that more than

50% of APs are vulnerable
The human factor: configuration
Weak passwords
With Stamm, Ramzan: “Drive-By Pharming”
(Symantec press release, Feb 15, 2007; top story on Google Tech
news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we
think all APs but Apple’s are at risk. Firmware update tested on only a
few. Paper in submission)

v ra m
s s n
ir ele ing
W s e t t
u e
val
“Use DNS server x.x.x.x”

And worse: geographic spread!

The human factor: neglect
 The human factor: deceit

(Threaten/disguise - image credit to Ben Edelman)

 The human factor: deceit

Self: “Modeling and Preventing Phishing Attacks”

(Panel, Financial Crypto, 2005 - notion of spear phishing)
With Jagatic, Johnson, Menczer: “Social Phishing”
(Communications of the ACM, Oct 2007)
With Finn, Johnson: “Why and How to Perform
Fraud Experiments”
(IEEE Security and Privacy,March/April 2008)
Experiment Design
 Gender Effects
80%

70%

60%

50%

40%

30%
Success Rate
20%

10%

0% To Any

To Female
From
Any
From To Male
Female
From
Male

To Male To Female To Any

From Male 53% 78% 68%
From Female 68% 76% 73%
From Any 65% 77% 72%
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)

Reality:

1 2
B
A
4 3 credentials
eBay
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)

Attack:

1 (spoof) B
A
2 credentials
 Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)

A
2
Experiment: 3(
sp
2 oo
f)

1
B
A
1 5 eBay
4 credentials
Yield (incl spam filtering loss): 11% +- 3% …“eBay greeting” removed: same
 Mutual
authentication
in the “real world”

With Tsow,Shah,Blevis,Lim,
“What Instills Trust? A
Qualitative Study of Phishing” starting with 4901
(Abstract at Usable Security,
2007)
How does the typical Internet
user identify phishing?
 Spear Phishing and Data Mining
Current attack style:

Approx 3% of adult Americans report to have been victimized.

Spear Phishing and Data Mining
More sophisticated attack style:

“context aware attack”

How can information be derived?

Jane Smith Jose Garcia

Jane Garcia, Jose Garcia

… and little Jimmy Garcia

 Let’s start from the end!

“Little” Jimmy
their marriage
his parents license

and Jimmy’s mother’s maiden name: Smith

More reading: Griffith and Jakobsson, "Messin' with Texas:

Deriving Mother's Maiden Names Using Public Records."
www.browser-recon.info
 Approximate price list:
PayPal user id + password $1
+ challenge questions $15

Why?
 Password Reset:
Typical Questions
• Make of your first car
• Mother’s maiden name
• City of your birth
• Date of birth
• High school you graduated from
• First name of your / your sister’s best friend
• Name of your pet
• How much wood would a woodchuck …
 Problem 1: Data Mining
• Make of your first car?
– Until 1998, Ford has >25% market share
• First name of your best friend?
– 10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help
• Name of your first / favorite pet?
– Top pet names are online
 Problem 2: People Forget

• Name of the street you grew up on?

– There may have been more than one
• First name of your best friend / sisters best
friend?
– Friends change, what if you have no sister?
• City in which you were born?
– NYC? New York? New York City? Manhattan? The
Big Apple?
• People lie to increase security … then forget!
 Intuition
Preference-based authentication:
• preferences are more stable than long-
term memory (confirmed by psychology
research)
• preferences are rarely documented (in
contrast to city of birth, brand of first car,
etc.) … especially dislikes!
 Our Approach (1)

Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

Our Approach (2)
 And next?

http://www. democratic-party.us/LiveEarth

http://www. democratic-party.us/LiveEarth
Countermeasures?
• Technical
– Better filters
– CardSpace
– OpenId
• Educational
– SecurityCartoon
– Suitable user interfaces
• Legal
 Interesting?
Internships at PARC / meet over coffee / etc.

markus.jakobsson@parc.com