Trust and Identity as Defenses Against Phishing and Spoofing

1
Trust and Identity as Defenses Against Phishing
and Spoofing

• Rick Ells
• University of Washington

2
Phishing and Spoofing

• Phishing (sometimes called carding or brand
  spoofing) is a scam where the perpetrator sends
  out legitimate looking emails in an effort to
  phish for personal information from the
  recipient.
• Involves social engineering to manipulate the
  recipient into trusting the message enough to
  enter private information
• May link to a Web form duplicating the appearance
  and functionality of a legitimate Web site

3
Phishing email example

• Date Wed, 9 Jun 2004 103416 -0500
• From USbank-securijt_at_UsBank.com
• Reply-To product_at_u.washington.edu
• Subject USBank.com Security Update URGENcs
• Security Key vnydramifyg .txcwq
• Dear US Bank Customer,
• During our regular update and verification of the
  Internet Banking Accounts,
• We could not verify your current information.
  Either your information has been
• Changed or incomplete, as a result your access to
  use our services has been
• Limited. Please update your information.
• To update your account information and start
  using our services please click
• on the link below httpwww.usbank.com/interfnetBa
  nking/RequestRouter?requestCmdIdDisplayLoginPacka
  ge
• Note Requests for information will be initiated
  by US Bank Business Development this process
  cannot be externally requested through customer
  support.

4
Phishing Web site example

• Virtually identical to legitimate Web site except
  for possible additional fields and behind the
  scenes coding changes.

5
Common advice to users

• Disregard messages you do not trust
• Do not click on links in messages you do not
  trust
• Do not visit Web sites you do not trust

6
Who do you trust?

• How do users evaluate the trustworthiness of an
  email message or a Web site?
• What can we do to help them make the right
  decisions?

7
Definitions

• trust - certainty based on past experience "he
  wrote the paper with considerable reliance on the
  work of other scientists" "he put more trust in
  his own two legs than in the gun" (Oxford
  English Dictionary)
• trust that which is essential to a
  communication channel but which cannot be
  transferred from a source to a destination using
  that channel (Generalized Certification Theory
  http//www.mcg.org.br/cie.htm)

8
Qualified Reliance on Information

• Trust, as qualified reliance on information,
  needs multiple, independent channels to be
  communicated. If we have two entities (e.g., a
  client and server) talking to one another, we
  have only one channel of communication. Clearly,
  we need more than two entities. Ed Gerck, Trust
  as Qualified Information

9
Prominence-Interpretation Theory
The impact that element has on credibility
assessment
What value or meaning people assign to element,
good or bad
An elements likelihood of being noticed when
people evaluate credibility

• Prominence
• Involvement
• Topic
• Task
• Experience
• Individual differences

• Interpretation
• Assumptions
• Skill/knowledge
• Context

Credibility Impact
B.J. Fogg Prominence-Interpretation Theory
Explaining How People Assess Credibility Online,
CHI 2003
10
Trust Evaluations

• Closeness
• Accuracy
• Sample size
• Variance
• Expertise
• Deferral (Accreditation)

• Threshold (Group)
• Individual History
• Category History
• Agent is (dis)trusting
• Agent does (not) give benefit of the doubt

Trust in Electronic Markets The convergence of
crytographers And economists, by Joseph Beagle
Jr., First Monday
11
Design and organization

• Users trust sites that are well-designed and
  well-organized. Poor navigation is the key
  element that decreases earned web credibility.
  Peter Morville, Semantics Studios

12
Design versus content
Selection of websites
Type of factor Specific aspects of the site Weighting
Design factors Clear layout Good navigation aids Interactive features e.g., assessment tools 17
Content factors Informative content Relevant illustrations Wide variety of topics covered Unbiased information Age specific information Clear, simple language used Discussion groups Frequently asked questions 83
Sillence, Briggs, Fishwick, Harris, Trust and
Mistrust of Online Health Sites
13
Interviews

• 30 randomly selected adults
• 15 email and Web site examples
• 5 real
• 10 phishing
• Methodology
• Pre-test structured interview
• Talk-aloud protocol
• Initial impressions
• Description
• Trust or not trust decision
• Post-test structured interview

14
Results

• High rate of discrimination of generic phishing
  messages
• Language anomalies
• Misspellings
• Role confusion
• Arrival context (when, relative to other events)
• Features they had been warning about
  (attachments, links within the message)
• Low rate of discrimination of duplicated Web
  sites
• Limited skill at interpreting URLs
• Recognized inappropriate fields
• Asked how page was reached
• Had expectations of what was appropriate and what
  was not
• Remarkable capacity for evaluating
  trustworthiness, if they have something to go on

15
Discussion

• Diminishing vulnerability of your clients
• Quality of content
• Branding and unique-ing
• Interaction design
• Safe methodologies
• Applied consistently
• User education

16
Quality of content

• No misspellings
• Correct grammar
• Succinct, to-the-point text
• Clear role definition
• Consistent voice
• Useful, appropriate information

17
Branding and unique-ing

• Consistency of branding across your sites
• Logos
• Naming of services, offices
• Language
• Minor unique style elements
• CC, Computing Communications
• Centering, dashed lines, ascii-art
• Signatures

18
Interaction design

• Establish rigid interaction rules
• Never request identity information (userIDs,
  passwords, account numbers, etc.) by email
• Never ask for password information by phone or
  email
• Never ask for billing or payment information
  through email
• Use secure servers for all private information
  entry
• Address messages with recipients name
• Do not put links in your email messages, only
  provide the URL
• Limit the number of transactional Web sites
• Send confirming email messages for transactions
• Follow your own interaction rules
• Variance reduces trust

19
User education

• Offer safe behavior guidelines
• Keep your computer OS, anti-virus program, and
  anti-spyware program up to date.
• Never click on a link in an email message. Copy
  the URL instead.
• Never enter your identity information (password,
  SSN, etc.) in an email message.
• Only a segment of your users will notice
• Still worth reaching them, they are the
  communicators and mavens.

20
Technical defenses

• Spam filtering
• Fast response to reports of phishing sites
  mimicking your pages and services
• Report it
• Anti-Phishing Workgroup reportphishing_at_antiphishin
  g.org
• FTC uce_at_ftc.gov
• Centralize management of phishing events

21
Summary

• Quality content, branding, and unique-ing help
  fight generic phishing
• They also set you up for mimicry
• Interaction design helps minimize risk and build
  a context workflow users can use to evaluate
  trustworthiness
• You need to follow your own interaction rules
• User education helps users share the
  responsibility
• Only a segment of your audience will notice

22
References

• Peter Morville, Semantics Studios -
  http//semanticstudios.com/publications/semantics/
  000011.php
• Ed Gerck Trust as Qualified Reliance on
  Information - http//nma.com/papers/it-trust-part
  1.pdf
• Beagle, Joseph, Jr. Trust in Electronic
  Markets The convergence of cryptographers and
  economists http//www.firstmonday.dk/issues/issu
  e2/markets/
• Sillence, Briggs, Fishwick, Harris, Trust and
  Mistrust of Online Health Sites CHI 2004 -
  http//portal.acm.org/citation.cfm?id985776
• Anti-Phishing Working Group http//www.antiphish
  ing.org/
• Phishing Attack Trends Report
  http//www.antiphishing.org/APWG_Phishing_Attack_R
  eport-Apr2004.pdf
• The MailFrontier Phishing IQ Test-
  http//survey.mailfrontier.com/survey/quiztest.htm
  l