SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention

We describe a novel approach to reduce the impact of spoofing by a subtle change in the login process. At the heart of our contribution is the understanding that current antispoof technologies fail largely as a result of the difficulties to communicate security and risk to typical users. Accordingly, our solution is oblivious to whether the user was tricked by a fraudster or not. We achieve that by modifying the user login process, and letting the browser or operating system cause different results of user login requests, based on whether the site is trusted or not. Experimental results indicate that our new approach, which we dub "SpoofKiller", will address approximately 80% of spoofing attempts.

[1]  Jens Riegelsberger,et al.  The mechanics of trust: A framework for research and design , 2005, Int. J. Hum. Comput. Stud..

[2]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[3]  Norman M. Sadeh,et al.  Learning to detect phishing emails , 2007, WWW '07.

[4]  Rick Wash,et al.  Organization Interfaces—collaborative computing General Terms , 2022 .

[5]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[6]  I. Pavlov,et al.  Conditioned reflexes: An investigation of the physiological activity of the cerebral cortex , 2010, Annals of Neurosciences.

[7]  Niels Provos,et al.  A framework for detection and measurement of phishing attacks , 2007, WORM '07.

[8]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[9]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[10]  Frank Stajano,et al.  Understanding scam victims , 2011, Commun. ACM.

[11]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[12]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[13]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[14]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[15]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[16]  Markus Jakobsson,et al.  Using Cartoons to Teach Internet Security , 2008, Cryptologia.

[17]  Markus Jakobsson,et al.  Designing ethical phishing experiments: a study of (ROT13) rOnl query features , 2006, WWW '06.

[18]  Amir Herzberg,et al.  Security and identification indicators for browsers against spoofing and phishing attacks , 2008, TOIT.

[19]  Sebastian Günther Folk Models of Home Computer Security , 2012 .

[20]  I. Pavlov Conditioned Reflexes: An Investigation of the Physiological Activity of the Cerebral Cortex , 1929 .

[21]  Amir Herzberg,et al.  Why Johnny can't surf (safely)? Attacks and defenses for web users , 2009, Comput. Secur..

[22]  M. Angela Sasse,et al.  Security Education against Phishing: A Modest Proposal for a Major Rethink , 2012, IEEE Security & Privacy.

[23]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[24]  Lorrie Faith Cranor,et al.  Getting users to pay attention to anti-phishing education: evaluation of retention and transfer , 2007, eCrime '07.

[25]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[26]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[27]  Markus Jakobsson,et al.  What Instills Trust? A Qualitative Study of Phishing , 2007, Financial Cryptography.