Are You Going to Answer That? Measuring User Responses to Anti-Robocall Application Indicators

Robocalls are inundating phone users. These automated calls allow for attackers to reach massive audiences with scams ranging from credential hijacking to unnecessary IT support in a largely untraceable fashion. In response, many applications have been developed to alert mobile phone users of incoming robocalls. However, how well these applications communicate risk with their users is not well understood. In this paper, we identify common real-time security indicators used in the most popular anti-robocall applications. Using focus groups and user testing, we first identify which of these indicators most effectively alert users of danger. We then demonstrate that the most powerful indicators can reduce the likelihood that users will answer such calls by as much as 43%. Unfortunately, our evaluation also shows that attackers can eliminate the gains provided by such indicators using a small amount of targetspecific information (e.g., a known phone number). In so doing, we demonstrate that anti-robocall indicators could benefit from significantly increased attention from the research community.

[1]  Michael S. Wogalter,et al.  Handbook of Warnings , 2006 .

[2]  Adam Doupé,et al.  Users Really Do Answer Telephone Scams , 2019, USENIX Security Symposium.

[3]  Aurélien Francillon,et al.  SoK: Fraud in Telephony Networks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[4]  Clive Thompson,et al.  Smarter Than You Think: How Technology is Changing Our Minds for the Better , 2013 .

[5]  J. Edworthy,et al.  On the stability of the arousal strength of warning signal words , 2000 .

[6]  Lorrie Faith Cranor,et al.  Harder to Ignore? Revisiting Pop-Up Fatigue and Approaches to Prevent It , 2014, SOUPS.

[7]  Michael S. Wogalter,et al.  Effectiveness of Warnings , 1987 .

[8]  Sunny Consolvo,et al.  An Experience Sampling Study of User Reactions to Browser Warnings in the Field , 2018, CHI.

[9]  Michael S. Wogalter,et al.  Behavioral compliance with warnings: effects of voice, context, and location , 1993 .

[10]  Nick Nikiforakis,et al.  Dial One for Scam: A Large-Scale Analysis of Technical Support Scams , 2016, NDSS.

[11]  Patrick Traynor,et al.  AuthLoop: End-to-End Cryptographic Authentication for Telephony over Voice Channels , 2016, USENIX Security Symposium.

[12]  Patrick Traynor,et al.  Measuring SSL Indicators on Mobile Browsers: Extended Life, or End of the Road? , 2012, ISC.

[13]  Sunny Consolvo,et al.  Rethinking Connection Security Indicators , 2016, SOUPS.

[14]  Michael S. Wogalter,et al.  Users' Hazard Perceptions of Warning Components: An Examination of Colors and Symbols , 2000 .

[15]  Michael S. Wogalter,et al.  Designing Effective Warnings , 2006 .

[16]  Patrick Traynor,et al.  AuthentiCall: Efficient Identity and Content Authentication for Phone Calls , 2017, USENIX Security Symposium.

[17]  Andrew C. Myers,et al.  Teaching Programming with Gamified Semantics , 2017, CHI.

[18]  Matthew Smith,et al.  Why Do Developers Get Password Storage Wrong?: A Qualitative Usability Study , 2017, CCS.

[19]  Sonia Fahmy,et al.  Nascent: Tackling Caller-ID Spoofing in 4G Networks via Efficient Network-Assisted Validation , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[20]  J. Förster,et al.  The influence of approach and avoidance motor actions on creative cognition. , 2002 .

[21]  Aurélien Francillon,et al.  Using chatbots against voice spam: Analyzing Lenny's effectiveness , 2017, SOUPS.

[22]  Patrick Traynor,et al.  Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge , 2015, USENIX Security Symposium.

[23]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[24]  P. Lawson,et al.  Federal Communications Commission , 2004, Bell Labs Technical Journal.

[25]  M. Angela Sasse,et al.  Scaring and Bullying People into Security Won't Work , 2015, IEEE Security & Privacy.

[26]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[27]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[28]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[29]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[30]  Nasir D. Memon,et al.  Peeling the Onion's User Experience Layer: Examining Naturalistic Use of the Tor Browser , 2018, CCS.

[31]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[32]  Jens Förster,et al.  Effects of motivational cues on perceptual asymmetry: implications for creativity and analytical problem solving. , 2005, Journal of personality and social psychology.

[33]  Wenyuan Xu,et al.  You Can Call but You Can't Hide: Detecting Caller ID Spoofing Attacks , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[34]  J. J. Higgins,et al.  The aligned rank transform for nonparametric factorial analyses using only anova procedures , 2011, CHI.

[35]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[36]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[37]  Patrick Traynor,et al.  PinDr0p: using single-ended audio features to determine call provenance , 2010, CCS '10.

[38]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[39]  Adam Doupé,et al.  Toward authenticated caller ID transmission: The need for a standardized authentication scheme in Q.731.3 calling line identification presentation , 2016, 2016 ITU Kaleidoscope: ICTs for a Sustainable World (ITU WT).

[40]  Adam Doupé,et al.  SoK: Everyone Hates Robocalls: A Survey of Techniques Against Telephone Spam , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[41]  Karrie Karahalios,et al.  Understanding Visual Cues in Visualizations Accompanied by Audio Narrations , 2019, CHI.

[42]  Patrick Traynor,et al.  Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[43]  Lena Mamykina,et al.  Pictures Worth a Thousand Words: Reflections on Visualizing Personal Blood Glucose Forecasts for Individuals with Type 2 Diabetes , 2018, CHI.

[44]  R. Mehta,et al.  Blue or Red? Exploring the Effect of Color on Cognitive Task Performances , 2009, Science.

[45]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[46]  Naomi Johnson,et al.  Evaluating the Impact of a Mobile Neurofeedback App for Young Children at School and Home , 2019, CHI.

[47]  Michael S. Wogalter,et al.  Communication-Human Information Processing (C-HIP) Model , 2018, Forensic Human Factors and Ergonomics.

[48]  Mustaque Ahamad,et al.  Phoneypot: Data-driven Understanding of Telephony Threats , 2015, NDSS.

[49]  Federico Maggi Are the Con Artists Back? A Preliminary Analysis of Modern Phone Frauds , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[50]  岩橋 敏幸,et al.  "Your Attention Please: Designing security-decision UIs to make genuine risks harder to ignore"の紹介 , 2013 .

[51]  Roberto Perdisci,et al.  Towards Measuring the Effectiveness of Telephony Blacklists , 2018, NDSS.