Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking

Application phishing attacks are rooted in users inability to distinguish legitimate applications from malicious ones. Previous work has shown that personalized security indicators can help users in detecting application phishing attacks in mobile platforms. A personalized security indicator is a visual secret, shared between the user and a security-sensitive application (e.g., mobile banking). The user sets up the indicator when the application is started for the first time. Later on, the application displays the indicator to authenticate itself to the user. Despite their potential, no previous work has addressed the problem of how to securely setup a personalized security indicator -- a procedure that can itself be the target of phishing attacks. In this paper, we propose a setup scheme for personalized security indicators. Our solution allows a user to identify the legitimate application at the time she sets up the indicator, even in the presence of malicious applications. We implement and evaluate a prototype of the proposed solution for the Android platform. We also provide the results of a small-scale user study aimed at evaluating the usability and security of our solution.

[1]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[2]  Amir Herzberg,et al.  My Authentication Album: Adaptive Images-Based Login Mechanism , 2012, SEC.

[3]  A. Porter Phishing on Mobile Devices , 2011 .

[4]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Min Wu,et al.  Web wallet: preventing phishing attacks by revealing user intentions , 2006, SOUPS '06.

[6]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[7]  Srdjan Capkun,et al.  Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception , 2017, IACR Cryptol. ePrint Arch..

[8]  Michael K. Reiter,et al.  Usability Testing a Malware-Resistant Input Mechanism , 2011, NDSS.

[9]  Eemil Lagerspetz,et al.  The company you keep: mobile malware infection rates and inexpensive risk indicators , 2013, WWW.

[10]  Wenke Lee,et al.  The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers , 2013, NDSS.

[11]  Philip D. MacKenzie,et al.  More Efficient Password-Authenticated Key Exchange , 2001, CT-RSA.

[12]  J. D. Tygar,et al.  WWW electronic commerce and java trojan horses , 1996 .

[13]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[14]  Adrian Perrig,et al.  Phoolproof Phishing Prevention , 2006, Financial Cryptography.

[15]  J. Doug Tygar,et al.  Atomicity in electronic commerce , 1996, NTWK.

[16]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[17]  Scott Dick,et al.  Detecting visually similar Web pages: Application to phishing detection , 2010, TOIT.

[18]  Philip MacKenzie,et al.  On the Security of the SPEKE Password-Authenticated Key Exchange Protocol , 2001, IACR Cryptol. ePrint Arch..

[19]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[20]  David Jablon The SPEKE Password-Based Key Agreement Methods , 2002 .

[21]  Peter Y. A. Ryan Pretty Good Democracy , 2009, Security Protocols Workshop.

[22]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Zhi Xu,et al.  Abusing Notification Services on Smartphones for Phishing and Spamming , 2012, WOOT.

[24]  Max-Emanuel Maurer,et al.  Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing , 2012, CSS.

[25]  Christian Stüble,et al.  Towards a Trusted Mobile Desktop , 2010, TRUST.

[26]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[27]  Hao Chen,et al.  iPhish: Phishing Vulnerabilities on Consumer Electronics , 2008, UPSEC.

[28]  Virgil D. Gligor,et al.  On the Design and the Implementation of Secure Xenix Workstations , 1986, 1986 IEEE Symposium on Security and Privacy.

[29]  Lorrie Faith Cranor,et al.  Cantina: a content-based approach to detecting phishing web sites , 2007, WWW '07.

[30]  Claudio Soriente,et al.  Evaluation of Personalized Security Indicators as an Anti-Phishing Mechanism for Smartphone Applications , 2016, CHI.

[31]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Baptiste Gourdin Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.