论文信息 - Web wallet: preventing phishing attacks by revealing user intentions

Web wallet: preventing phishing attacks by revealing user intentions

We introduce a new anti-phishing solution, the Web Wallet. The Web Wallet is a browser sidebar which users can use to submit their sensitive information online. It detects phishing attacks by determining where users intend to submit their information and suggests an alternative safe path to their intended site if the current site does not match it. It integrates security questions into the user's workflow so that its protection cannot be ignored by the user. We conducted a user study on the Web Wallet prototype and found that the Web Wallet is a promising approach. In the study, it significantly decreased the spoof rate of typical phishing attacks from 63% to 7%, and it effectively prevented all phishing attacks as long as it was used. A majority of the subjects successfully learned to depend on the Web Wallet to submit their login information. However, the study also found that spoofing the Web Wallet interface itself was an effective attack. Moreover, it was not easy to completely stop all subjects from typing sensitive information directly into web forms.

[1] A Treisman,et al. Feature analysis in early vision: evidence from search asymmetries. , 1988, Psychological review.

[2] Dan S. Wallach,et al. Web Spoofing: An Internet Con Game , 1997 .

[3] Dan Boneh,et al. Proceedings of the 11th USENIX Security Symposium , 2002 .

[4] Sean W. Smith,et al. Web Spoofing Revisited: SSL and Beyond , 2002 .

[5] Simson L. Garfinkel,et al. Secure Web Authentication with Mobile Phones , 2004 .

[6] John Sören Pettersson,et al. Making PRIME usable , 2005, SOUPS '05.

[7] Ronald L. Rivest,et al. Lightweight Encryption for Email , 2005, SRUTI.

[8] J. Doug Tygar,et al. The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[9] Sean W. Smith,et al. Trusted paths for browsers , 2002, TSEC.

[10] A. Emigh,et al. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures , 2005 .

[11] Dan Boneh,et al. Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[12] Xiaotie Deng,et al. An antiphishing strategy based on visual similarity assessment , 2006, IEEE Internet Computing.

[13] Min Wu,et al. Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[14] Min Wu. Fighting phishing at the user interface , 2006 .

[15] Michael B. Jones,et al. Design Rationale behind the Identity Metasystem Architecture , 2007, ISSE.