Users Are Not Dependable

How to make security indicators

that protect them better

Min Wu, Simson Garfinkel, Robert Miller

MIT Computer Science and Artificial Intelligence Lab

User Is Part Of System

• “Weakest link” in operational security

systems
• If attackers can easily trick users into
compromising their security, they do not
have to try hard to directly attack the
system.
• A typical attack: Phishing
Security Indicators

• “Look for the lock at the bottom of your

browser and ‘https’ in front of the
website address.”
Security Indicators

• “Look for the lock at the bottom of your

browser and ‘https’ in front of the
website address.”
More Security Indicators

Spoofstick
More Security Indicators

Netcraft
Toolbar
More Security Indicators

Trustbar
More Security Indicators

eBay
Account
Guard
 More Security Indicators

Spoofguard
Outline

 Introduction of security indicators

 Anti-phishing user study
• Web authentication using cell phones
• Conclusions
 Security Toolbar Abstractions
SpoofStick
Neutral-Information Toolbar

Netcraft Toolbar

eBay Account Guard System-Decision Toolbar

SpoofGuard

Positive-Information Toolbar
TrustBar
Study Scenario

• We set up dummy accounts as John

Smith at various websites
• “You are the personal assistant of
John Smith. John is on vacation now.
During his vacation, he sometimes
sends you emails asking you to do
some tasks for him online.”
• “Here is John Smith’s profile.”
Study Scenario

• Users dealt with 20 emails forwarded by John

Smith.
• 5 emails were phishing emails.
• Most of the emails were about managing
John’s wish lists at various sites
Main Frame
Address bar frame

http://tigermail.co.kr/cgi-bin/webscrcmd_login.php
Toolbar frame

Status bar frame

Attack Types

1. Similar-name attack
bestbuy.com  www.bestbuy.com.ww2.us

2. IP-address attack
bestbuy.com  212.85.153.6

3. Hijacked-server attack
bestbuy.com  www.btinternet.com

4. Popup-window attack

5. Paypal attack
Security Toolbar Display

Legitimate Site vs. Phishing Site

Attack Pattern

1-9

10 Paypal attack

11 Tutorial email

12-20
Recruitment

• 30 users
– Recruited at MIT, paid $15 for one hour
– 10 for each toolbar
Neutral-Information
Toolbar
System-Decision Toolbar

Positive-Information Toolbar

– Average age 27 [18-50]

– 14 females and 16 males
– 20 MIT students, 10 not
 Spoof Rates With Different Toolbars

100%

90%

80%

70%

60%
54%
Spoof Rate

Neutral-Information toolbar
50% Positive-Information toolbar
System-Decision toolbar
40% 39%
40% 35%
32% 33%
30%
30% 28%

20%
13%
10%

0%
Total Before tutorial After tutorial
Spoof Rates With Different Attacks

100%

90%

80%

70%

60%
Spoof Rate

50%
50%
43%
40%
33%
30% 28%

20% 17%

10%

0%
Paypal Attack Popup-window Attack IP-address Attack Hijacked-server Attack Similar-name Attack

p = 0.052 (ANOVA)
Why Did Users Get Fooled?
• 20 out of 30 got fooled by at least one
attack. Among the 20 users
– 17 (85%) claimed web content is
professional or familiar; 7 (35%) depended
on security-related content
– 12 (60%) explained away odd behaviors
• “I have been to sites that use plain IP
addresses.”
• “Sometimes I go to a website, and it directs me
to another site with a different address.”
• “Yahoo may have just opened a branch in
Brazil and thus registered there.”
• “I must have mistakenly triggered the popup
window.”
Results

• Users did not rely on security indicators

– Depended on web content instead
– Cannot distinguish poorly designed
websites from malicious phishing attacks
Outline

 Introduction of security indicators

 Anti-phishing user study
 Web authentication using cell
phones
• Authentication protocol
• User study
• An improved protocol
• Conclusions
Authentication Using Cell Phones

• Prevent people’s passwords from being

captured by public computers
• Use trusted cell phone to authenticate
login sessions from untrusted public
computers
• Checking security indicator is part of the
authentication protocol
User Interface

Session: FAITH

1 [Approve it]
2 [Cancel it]
3 [Lock Account]

Submit Cancel

menu
Attack Types

• Duplicated attack • Blocking attack

User Study

• Log in to Amazon.com with a personal

computer and a cell phone
• 6 logins in a row
• Attacks were randomly selected and
assigned to the 5th or the 6th login
• 20 users
– Recruited at MIT, paid $10 for one hour
– Average age 25 [18 - 43]
– 9 females and 11 males
– 16 MIT students, 4 not
Results

• Duplicated attack: 36% (4 successful out of

11 attacks)
– “There must be a bug in the proxy since the
session name displayed in the computer does not
match the one in the cell phone.”
• Blocking attack: 22% (2 successful out of 9
attacks)
– “The network connection must be really slow since
the session name has not been displayed.”
• Users failed to follow the protocol
– Cannot distinguish system failures from malicious
attacks
An Improved Protocol

Choose the same

session name as
shown in the browser
1 [None of them]
2 [COURTESY]
3 [INHERITS]
4 [FAITH]
5 [OBJECT]
Submit Cancel

menu

Thanks to Steve Strassman

from Orange™
Under Attacks

• Duplicated Attack • Blocking attack

Results

• Login by choosing a correct session

name has zero spoof rate!
– 9 duplicated attacks and 11 blocking
attacks
– There was little chance that the attacker’s
list included the user’s session name in the
browser
– Users were forced to attend to the security
indicator
Conclusions

• Security indicator checking scheme fails

– Users ignore advice (34% spoof rate)
– Users do not follow instructions (30% spoof rate)
– Users cannot distinguish “bugs” from “attacks”
– Security indicator is not part of the user’s “critical
action sequence”

Session: FAITH

1 [Approve it]
2 [Cancel it]
3 [Lock Account]

Submit Cancel

menu
Lesson Learned

• Moving the security indicator into the

critical action sequence can better
protect users
Choose the same
session name as
shown in the browser
1 [None of them]
2 [COURTESY]
3 [INHERITS]
4 [FAITH]
5 [OBJECT]
Submit Cancel

menu
 Users Cared About Security

• 18 out of 30 uncheck “remember

me”

• 13 out of 30 logged out (or tried to)

after at least one task
Legitimate Site Phishing Site