Evaluation of Personalized Security Indicators as an Anti-Phishing Mechanism for Smartphone Applications

Mobile application phishing happens when a malicious mobile application masquerades as a legitimate one to steal user credentials. Personalized security indicators may help users to detect phishing attacks, but rely on the user's alertness. Previous studies in the context of website phishing have shown that users tend to ignore personalized security indicators and fall victim to attacks despite their deployment. Consequently, the research community has deemed personalized security indicators an ineffective phishing detection mechanism. We revisit the question of personalized security indicator effectiveness and evaluate them in the previously unexplored and increasingly important context of mobile applications. We conducted a user study with 221 participants and found that the deployment of personalized security indicators decreased the phishing attack success rate to 50%. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism in the mobile context should be reconsidered.

[1]  Baptiste Gourdin Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.

[2]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[4]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[5]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[6]  Christian Stüble,et al.  Towards a Trusted Mobile Desktop , 2010, TRUST.

[7]  Ashweeni Kumar Beeharee,et al.  The case of the missed icon: change blindness on mobile devices , 2012, CHI.

[8]  Desney S. Tan,et al.  An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks , 2007, Financial Cryptography.

[9]  Amir Herzberg,et al.  My Authentication Album: Adaptive Images-Based Login Mechanism , 2012, SEC.

[10]  A. Porter Phishing on Mobile Devices , 2011 .

[11]  Srdjan Capkun,et al.  Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception , 2017, IACR Cryptol. ePrint Arch..

[12]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[13]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[14]  Joseph L. Mundy,et al.  Change Detection , 2014, Computer Vision, A Reference Guide.

[15]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[16]  Rob Miller,et al.  Security user studies: methodologies and best practices , 2007, CHI Extended Abstracts.

[17]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[18]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.

[19]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[20]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[21]  Lorrie Faith Cranor,et al.  Bridging the Gap in Computer Security Warnings: A Mental Model Approach , 2011, IEEE Security & Privacy.

[22]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[23]  Zhi Xu,et al.  Abusing Notification Services on Smartphones for Phishing and Spamming , 2012, WOOT.

[24]  Max-Emanuel Maurer,et al.  Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing , 2012, CSS.

[25]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[26]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[27]  Lujo Bauer,et al.  The Effectiveness of Security Images in Internet Banking , 2015, IEEE Internet Computing.

[28]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[29]  Iulian Neamtiu,et al.  Targeted and depth-first exploration for systematic testing of android apps , 2013, OOPSLA.

[30]  Hao Chen,et al.  iPhish: Phishing Vulnerabilities on Consumer Electronics , 2008, UPSEC.

[31]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.