Title: Usable Privacy and Security: Protecting People from Online Phishing Scams
1Usable Privacy and Security Protecting People
from Online Phishing Scams
Alessandro AcquistiLorrie CranorJulie
DownsJason HongNorman SadehCarnegie Mellon
University
2Everyday Security ProblemsInstall this software?
3Everyday Security ProblemsSetting File
Permissions
- In 2003, one Senate Judiciary staffer found
that files were readable to all users, rather
than just to Democrats or Republicans - See Reeder et al CHI 2008
4Everyday Security ProblemsMany Laptops with
Sensitive Data being Lost or Stolen
5Costs of Unusable Privacy Security High
- Spyware, viruses, worms
- Too many passwords!!!
- People not updating software with patches
- Firewalls, WiFi boxes, and other systems easily
misconfigured - Less potential adoption of ubicomp systems (e.g.
location-based services)
6Usable Privacy and Security
- Give end-users security controls they can
understand and privacy they can control forthe
dynamic, pervasive computing environments of the
future. - - Grand Challenges in Information Security
Assurance - Computing Research Association (2003)
- More research needed on how cultural and social
influences can affect how people use computers
and electronic information in ways that increase
the risk of cybersecurity breaches. - - Grand Challenges for Engineering
National Academy of Engineering (2008)
7Everyday Privacy and Security Problem
8This entire process known as phishing
9Phishing is a Plague on the Internet
- Estimated 350m-3b direct losses a year
- Does not include damage to reputation, lost
sales, etc - Does not include response costs (call centers,
recovery) - Rapidly growing
- Spear-phishing and whaling attacks escalating
- Steal sensitive corporate or military information
10(No Transcript)
11Phishing Becoming Pervasive
- Universities
- Online social networking sites (Facebook,
MySpace) - Social media (Twitter, World of Warcraft)
12Project Supporting Trust Decisions
- Goal help people make better online trust
decisions - Specifically in context of anti-phishing
- Large multi-disciplinary team project at CMU
- Economics, computer science, public policy,
human-computer interaction, social and decision
sciences, machine learning, computer security
13Our Multi-Pronged Approach
- Human side
- Interviews and surveys to understand
decision-making - PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
- Machine learning of blacklists
Automate where possible, support where necessary
14Impact of Our Work
- Game teaching people about phish played 100k
times, featured in over 20 media articles - Study on browser warnings -gt Internet Explorer 8
- Our filter is labeling several million emails per
day - Our evaluation of anti-phishing toolbars cited by
several companies, presented to Anti-Phishing
Working Group (APWG) - PhishGuru embedded training undergone field
trials at three companies, variant in use by
large email provider, and used in APWGs takedown
page
15Our Multi-Pronged Approach
- Human side
- Interviews and surveys to understand
decision-making - PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
What do users know about phishing? Why do they
fall for phish?
16Interview Study
- Interviewed 40 Internet users (35 non-experts)
- Mental models interviews included email role
play and open ended questions - Brief overview of results (see papers for
details) - J. Downs et al. Decision Strategies and
Susceptibility to Phishing. Symposium on Usable
Privacy and Security 2006. - J. Downs et al. Behavioral Response to Phishing
Risk. eCrime 2007.
17Little Knowledge of Phishing
- Only about half knew meaning of the term
phishing -
- Something to do with the band Phish, I take it.
18Little Attention Paid to URLs
- Only 55 of participants said they had ever
noticed an unexpected or strange-looking URL - Most did not consider them to be suspicious
-
19Some Knowledge of Scams
- 55 of participants reported being cautious when
email asks for sensitive financial info - But very few reported being suspicious of email
asking for passwords - Knowledge of financial phish reduced likelihood
of falling for these scams - But did not transfer to other scams, such as an
amazon.com password phish
20Naive Evaluation Strategies
- The most frequent strategies dont help much in
identifying phish - This email appears to be for me
- Its normal to hear from companies you do
business with - Reputable companies will send emails
- I will probably give them the information that
they asked for. And I would assume that I had
already given them that information at some point
so I will feel comfortable giving it to them
again.
21Summary of Findings
- People generally not good at identifying scams
they havent specifically seen before - People dont use good strategies to protect
themselves
22Outline
- Human side
- Interviews and surveys to understand
decision-making - PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
- Machine learning of blacklists
How to train people not to fall for phish?
23PhishGuru Embedded Training
- A lot of training materials are boring and/or
ignored - Can we train people during their normal use of
email to avoid phishing attacks? - Periodically, people get sent a training email by
admins - Training email looks same as a phishing attack
- If person falls for it, intervention warns and
highlights what cues to look for in succinct and
engaging format
24Everyday Privacy and Security Problem
25Everyday Privacy and Security Problem
26Everyday Privacy and Security Problem
- Learning science principles
- Learning by Doing
- Immediate feedback
- Conceptual-Procedural Knowledge
27Evaluation of PhishGuru
- Is embedded training effective? Yes!
- Study 1 Lab study, 30 participants
- Study 2 Lab study, 42 participants
- Study 3 Field evaluation at company, 300
participants - Study 4 Ongoing at CMU, 500 participants
- Will highlight first two studies
- P. Kumaraguru et al. Protecting People from
Phishing The Design and Evaluation of an
Embedded Training Email System. CHI 2007. - P. Kumaraguru et al. Getting Users to Pay
Attention to Anti-Phishing Education Evaluation
of Retention and Transfer. eCrime 2007.
28Intervention 1 Diagram
29Intervention 1 Diagram
Explains why they are seeing this message
30Intervention 1 Diagram
Explains what a phishing scam is
31Intervention 1 Diagram
Explains how to identify a phishing scam
32Intervention 1 Diagram
Explains simple things you can do to protect self
33Intervention 2 Comic Strip
34Intervention 2 Comic Strip
35Intervention 2 Comic Strip
36Embedded Training Evaluation 1
- Lab study comparing our prototypes to standard
security notices - Group A Standard eBay, PayPal notices
- Group B Diagram that explains phishing
- Group C Comic strip that tells a story
- 10 participants in each condition (30 total)
- Screened so we only have novices
- Go through 19 emails, 4 phishing attacks
scattered throughout, 2 training emails too - Role play as Bobby Smith at Cognix Inc
37Embedded Training Results
38Embedded Training Results
- Existing practice of security notices not
effective - Diagram intervention somewhat better
- Though people still fell for final phish
- Comic strip intervention worked best
- Statistically significant
- Combination of less text, graphics, story
39Evaluation 2
- New questions
- Have to fall for phishing email to be effective?
- How well do people retain knowledge?
- Roughly same experimental protocol as before
- Role play as Bobby Smith at Cognix Inc, go thru
16 emails - Embedded condition means have to fall for our
email - Non-embedded means we just send the comic strip
- Suspicion means got a warning about phish from
friend - Control means they got no warnings or training
- Also had people come back after 1 week
40(No Transcript)
41Results of Evaluation 2
- Have to fall for phishing email to be effective?
- How well do people retain knowledge after a week?
42Results of Evaluation 2
- Have to fall for phishing email to be effective?
- How well do people retain knowledge after a week?
43Results of Evaluation 2
- Have to fall for phishing email to be effective?
- How well do people retain knowledge after a week?
44Discussion of PhishGuru
- Act of falling for phish is teachable moment
- Just sending intervention not effective
- PhishGuru can teach people to identify phish
better - People retain the knowledge well
- People arent resentful, many happy to have
learned - 68 out of 85 surveyed said they recommend CMU
continue doing this sort of training in future - I really liked the idea of sending CMU students
fake phishing emails and then saying to them,
essentially, HEY! You could've just gotten
scammed! You should be more careful -- here's
how....
45APWG Landing Page
- CMU helped Anti-Phishing Working Group develop
landing page for phishing sites taken down - Also a new data source for us
- How long people keep going to phishing sites,
where from
46Phishguru.org
- Our site to teach general public more about
phishing
47Anti-Phishing Phil
- A game to teach people not to fall for phish
- Embedded training about email, this game about
web browser - Based on learning science
- Goals
- How to parse URLs
- Where to look for URLs
- Use search engines for help
- Try the game!
- http//cups.cs.cmu.edu/antiphishing_phil
- S. Sheng et al. Anti-Phishing Phil The Design
and Evaluation of a Game That Teaches People Not
to Fall for Phish. In Proceedings of the 2007
Symposium On Usable Privacy and Security,
Pittsburgh, PA, July 18-20, 2007.
48Anti-Phishing Phil
49(No Transcript)
50(No Transcript)
51(No Transcript)
52(No Transcript)
53 54Evaluation of Anti-Phishing Phil
- Is Phil effective?
- Study 1 56 people in lab study
- Study 1 protocol
- Label 10 web sites as phish or legitimate
- For 15 minutes (four conditions)
- Read printed materials on training
- Read printed copies of Phils tutorials
- Play Anti-Phishing Phil
- Check email or play solitaire (control)
- Label 10 more web sites
55Anti-Phishing Phil Study 1
- No statistical difference in false negatives
(calling phish legitimate) between first three
conditions
56Anti-Phishing Phil Study 1
- Our game has significantly fewer false positives
(labeling legitimate site as phish)
57Evaluation of Anti-Phishing Phil
- Study 2 4517 participants in field trial
- Randomly selected from 80000 people
- Conditions
- Control Label 12 sites then play game
- Game Label 6 sites, play game, then label 6
more, then after 7 days, label 6 more (18 total) - Participants
- 2021 people in game condition, 674 did retention
portion
58Anti-Phishing Phil Study 2
- Novices showed most improvement in false
negatives (calling phish legitimate)
59Anti-Phishing Phil Study 2
- Improvement all around for false positives
60Discussion of Anti-Phishing Phil
- For false negatives, Phil at least as effective
as existing training, but much more fun - Much better in terms of false positive rate
- Dont want people to delete all mails from
Citibank - Just telling people about phish tends to make
them paranoid, without ability to differentiate
61Outline
- Human side
- Interviews to understand decision-making
- PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
Do people see, understand, and believe web
browser warnings?
62Screenshots
Internet Explorer Passive Warning
63Screenshots
Internet Explorer Active Block
64Screenshots
Mozilla FireFox Active Block
65How Effective are these Warnings?
- Tested four conditions
- FireFox Active Block
- IE Active Block
- IE Passive Warning
- Control (no warnings or blocks)
- Shopping Study
- Setup some fake phishing pages and added to
blacklists - We phished users after purchases (2 phish/user)
- Real email accounts and personal information
- S. Egelman, L. Cranor, and J. Hong. You've Been
Warned An Empirical Study of the Effectiveness
of Web Browser Phishing Warnings. CHI 2008.
66How Effective are these Warnings?
Almost everyone clicked, even those with
technical backgrounds
67How Effective are these Warnings?
68Discussion of Phish Warnings
- Nearly everyone will fall for highly contextual
phish - Passive IE warning failed for many reasons
- Didnt interrupt the main task
- Slow to appear (up to 5 seconds)
- Not clear what the right action was
- Looked too much like other ignorable warnings
(habituation) - Bug in implementation, any keystroke dismisses
69Screenshots
Internet Explorer Passive Warning
70Discussion of Phish Warnings
- Active IE warnings
- Most saw but did not believe it
- Since it gave me the option of still proceeding
to the website, I figured it couldnt be that
bad - Some element of habituation (looks like other
warnings) - Saw two pathological cases
71Screenshots
Internet Explorer Active Block
72Internet Explorer 8 Re-design
73A Science of Warnings
- See the warning?
- Understand?
- Believe it?
- Motivated?
- Refining this model for computer warnings
74Outline
- Human side
- Interviews and surveys to understand
decision-making - PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
- Machine learning of blacklists
Can we automatically detect phish emails?
75PILFER Email Anti-Phishing Filter
- Goal Create email filter that detects phishing
emails - Spam filters well-explored, but how good for
phishing? - Can we do better?
- Example heuristics combined in Random Forest
- IP addresses in link (http//128.23.34.45/blah)
- Age of linked-to domains (younger domains likely
phishing) - Non-matching URLs (ex. most links point to
PayPal) - Click here to restore your account
- I. Fette, N. Sadeh, A. Tomasic. Learning to
Detect Phishing Emails. In W W W 2007.
76PILFER Evaluation
- PILFER better at detecting phish, few false
positives - Implemented as a SpamAssassin plugin
- Large-scale field trial with underway
- Millions of emails per day
- Currently evaluating effectiveness of filter
77Outline
- Human side
- Interviews and surveys to understand
decision-making - PhishGuru embedded training
- Anti-Phishing Phil game
- Understanding effectiveness of browser warnings
- Computer side
- PILFER email anti-phishing filter
- CANTINA web anti-phishing algorithm
- Machine learning of blacklists
Can we improve phish detection of web sites?
78Detecting Phishing Web Sites
- Industry uses blacklists to label phishing sites
- But blacklists slow to new attacks
- Idea Use search engines
- Scammers often directly copy web pages
- But fake pages should have low PageRank on search
engines - Generate text-based fingerprint of web page
keywords and send to a search engine - Y. Zhang, S. Egelman, L. Cranor, and J. Hong
Phinding Phish Evaluating Anti-Phishing Tools.
In NDSS 2007. - Y. Zhang, J. Hong, and L. Cranor. CANTINA A
content-based approach to detecting phishing web
sites. In WWW 2007. - G. Xiang and J. Hong. A Hybrid Phish Detection
Approach by Identity Discovery and Keywords
Retrieval. In WWW 2009.
79Robust Hyperlinks
- Developed by Phelps and Wilensky to solve 404
not found problem - Key idea was to add a lexical signature to URLs
that could be fed to a search engine if URL
failed - Ex. http//abc.com/page.html?sigword1word2...
word5 - How to generate signature?
- Found that TF-IDF was fairly effective
- Informal evaluation found five words was
sufficient for most web pages
80Fake
eBay, user, sign, help, forgot
81Real
eBay, user, sign, help, forgot
82(No Transcript)
83(No Transcript)
84Evaluating CANTINA
PhishTank
85Our Ongoing Work in Anti-Phishing
- Machine Learning of Blacklists
- Given blacklists of URLs, can we apply
content-based and URL-based approaches to
accurately detect new phish? - Blacklists can be thought of as labeled data
- Early results show 87 true positive rate and
0.04 false positives, far better than any other
heuristics - Social Web Machine Learning
- PhishTank is a community site where people can
submit and verify phish, five votes to verify - Can we use machine learning approaches to augment
peoples votes? - Currently collecting data through Mechanical Turk
86Summary
- Usable Privacy and Security
- Grand challenge for computer science
- Whirlwind tour of our work on anti-phishing
- Human side effective training mechanisms
- Computer side better algorithms for detecting
phish - Lots more info at cups.cs.cmu.edu
87Acknowledgments
- Alessandro Acquisti
- Lorrie Cranor
- Sven Dietrich
- Julie Downs
- Mandy Holbrook
- Norman Sadeh
- Anthony Tomasic
- Umut Topkara
- Serge Egelman
- Ian Fette
- Ponnurangam Kumaraguru
- Bryant Magnien
- Elizabeth Nunge
- Yong Rhee
- Steve Sheng
- Yue Zhang
Supported by NSF, ARO, CyLab, Portugal Telecom
88http//cups.cs.cmu.edu/
CMU Usable Privacy and Security Laboratory
89(No Transcript)
90Everyday Security Problems