Security and identification indicators for browsers against spoofing and phishing attacks

ACM Transactions on Internet Technology

Volumn 8, Issue 4, 2008, Pages

  Herzberg, Amir ^a   Jbara, Ahmad ^a  

^a BAR ILAN UNIVERSITY   (Israel)

Author keywords

Human computer interaction; Phishing; Secure usability; Web spoofing

Indexed keywords

KNOWLEDGE MANAGEMENT;

CERTIFICATE AUTHORITIES; PHISHING; PHISHING ATTACKS; SECURE USABILITY; SENSITIVE INFORMATIONS; SSL/TLS; TRUSTBAR; WEB SECURITIES; WEB SITES; WEB SPOOFING;

HUMAN COMPUTER INTERACTION;

EID: 54049142548     PISSN: 15335399     EISSN: 15576051     Source Type: Journal    
DOI: 10.1145/1391949.1391950     Document Type: Article

References (60)

1. ANTI-PHISHING WORKING GROUP. 2006. Phishing activity trends report. http://www.antiphishing.org/reports/ apwg_report_May2006.pdf.
2. ANTI-PHISHING WORKING GROUP. 2005. Phishing archive. http://www.antiphishing.org/.
3. BONEH, D., SHACHAM, H., AND RESCROLA, E. 2004. Client side caching for TLS. ACM Trans. Inf. Syst. Security 7, 4 (Nov.), 553-575.
4. ndACM Symposium on Usable Privacy and Security, Pittsburgh, PA, 79-90.
5. ITIBANK CORPORATION. 2004. Learn about or report fraudulent e-mails, http://www.citibank.coin/domain/spoof/report_abuse.htm.
6. LOSE, T. 2006. Petname tool: Enabling Web site recognition using the existing SSL infrastructure. In W3C Workshop on Transparency and Usability of Web Authentication, http://www.w3.org/2005/Security/usability- ws/papers/02-hp-petname/.
7. HAMIJA, R. AND TYGAR, J. D. 2005. The battle against phishing: Dynamic security skins. In Proceedings of the ACM Symposium on Usable Privacy and Security (SOUPS), 77-88.
8. HAMIJA, R., TYGAR, J. D., AND HEARST, M. 2006. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI), Montreal, Quebec, Canada, 581-590.
9. ELLISON, C. 1999. The nature of a usable PKI. Comput. Netw. 31, 823-830.
10. ELLISON, C. AND SCHNEIER, B. 2000. Ten risks of PKI: What you're not being told about public key infrastructure. Comput. Security J. 16, 1, 1-7. http://www.schneier.com/paper-pki.html.
11. ELLISON, C., FRANTZ, B., LAMPSON, B., RIVEST, R., THOMAS, B., AND YLONEN, T. 1999. SPKI certificate theory. Internet RFC 2693, Internet Engineering Task Force. September. http://research. microsoft.com/Lampson/62-SPKICertificateTheory/ Abstract.html.
12. EMIGH, A. 2005. Online identity theft: Technology, chokepoints and countermeasures. Rep., Department of Homeland Security- SRI International Identity Theft Technology Council. October. http://www.antiphishing.org/ Phishing-dhs-report.pdf.
13. FELTEN, E. W., BALFANZ, D., DEAN, D., AND WALLACH, D. S. 1997. Web spoofing: An Internet con game. In Proceedings of the 20th National Information Systems Security Conference, Baltimore, MD. Also Tech. Rep. 540-96, Department of Computer Science, Princeton University. October.
14. FRANCO, R. 2004. Better Website identification and extended validation certificates in IE7 and other browsers. In Microsoft Developer Network's IEBlog. http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx.
15. Fu, K., SIT, E., SMITH, K., AND FEAMSTER, N. 2001. Do's and don'ts of client authentication on the Web. In Proceedings of the 10th USENIX Security Symposium, Washington, DC.
16. GABRILOVICH, E. AND GONTMAKHER, A. 2002. The homograph attack. Commun. ACM 45, 2.
17. GASPARINI, L. A. AND GOTLIEB, C. E. 2006. Method and apparatus for authentication of users and Web sites. U.S. patent number 7100049.
18. GRIGG, I. 2004a. personal communication.
19. GRIGG, I. 2004b. PKI considered harmful. http://iang.org/ssl/ pki_considered_harmful.html.
20. GRIGG, I. 2004c. Phishing I: Penny black leads to billion dollar loss. http://www.financialcryptography.com/mt/archives/000159.html.
21. HARMON, A. 2004. Amazon glitch unmasks war of reviewers. http://www.nytimes.com/2004/02/14/technology/14AMAZ.html?ex=1392094800&en= 183dc1d16a0c7b4c&ei=5007.
22. HERZBERG, A. 2006a. Web spoofing and phishing attacks and their prevention. In the Mexican International Conference on Computer Science (ENC), Colima, Mexico.
23. HERZBERG, A. 2006b. Browsers' defenses against phishing, spoofing and malware. Rep. 2006/083, Cryptology ePrint Archive. http://eprint.iacr.org/2006/083.
24. HERZBERG, A. 2003. Payments and banking with mobile personal devices. Commun. ACM 46, 5, 53-58.
25. HERZBERG, A. AND JBARA, A. 2004. TrustBar: Protecting (even naïve) Web users from spoofing and phishing attacks. Rep. 2004/155, Cryptology ePrint Archive. http://eprint.iacr.org.
26. HERZBERG, A. AND NAOR, D. 1998. Surf'n'Sign: Client signatures on Web documents. IBM Syst. J. 37, 1, 61-71.
27. JACKSON, C., SIMON, D., TAN, D., AND BARTH, A. 2007. An evaluation of extended validation and picture-in-picture phishing attacks, http://usablesecurity.org/papers/jackson. pdf.
28. JAKOBSSON, M. 2005. Modeling and preventing phishing attacks. http://www.informatics.indiana.edu/markus/papers/publishing_jakobsson.pdf.
29. JOHNSON, J. 2000. QUI Bloopers: Don'ts and Do's for Software Developers and Web Designers. Morgan Kaufmann.
30. JØSANG, A. AND PATTON, M. A. 2003. User interface requirements for authentication of communication. In Proceedings of the 4th Australian User Interface Conference on User Interfaces, vol. 18.
31. JØSANG, A., PATTON, M. A., AND HO, A. 2001. Authentication for humans. In Proceedings of the 9th International Conference on Telecommunication Systems (ICTS), B. Gavish, ed. Cox School of Business, Southern Methodist University, Dallas, TX.
32. KOHLAS AND MAURER, U. 2000. Reasoning about public-key certification: On bindings between entities and public keys. IEEE J. Selected Areas Commun. 18, 4 (Apr.).
33. KORMANN, D. P. AND RUBIN, A. D. 2000. Risks of the passport single signon protocol. Comput. Netw. (Jul.).
34. ACOSTE, G., PFITZMANN, B., STEINER, M., AND WAIDNER, M., eds. 2000. SEMPER - Secure Electronic Marketplace for Europe. Lecture Notes in Computer Science, vol. 1854. Springer.
35. EFRANC, S. AND NACCACHE, D. 2003. Cut-and-Paste attacks with Java. In Proceedings of the 5th International Conference on Information Security and Cryptology (ICISC). Lecture Notes in Computer Science, vol. 2587. Springer, 1-15.
36. I, T. AND YONGDONG, W. 2003. Trust on Web browser: Attack vs. defense. In Proceedings of the International Conference on Applied Cryptography and Network Security (ACNS), Kunming, China. Lecture Notes in Computer Science, Springer.
37. ITAN, A. 2004. Phishing attack victims likely targets for identity theft. Gartner FirstTake Rep. FT-22-8873. Gartner Research. May.
38. CDANIEL, D. AND RUBIN, A. D. 2000. A response to "Can we eliminate certificate revocation lists?". In the Financial Cryptography Conference.
39. ICALI, S. 1997. Efficient certificate revocation. In Proceedings of the RSA Data Security Conference.
40. ICROSOFT CORPORATION. 2004. The coordinated spam reduction initiative. http://www.microsoft.com/downloads/details.aspx?familyid= 5577782e-462d-4bbe-92e5-b38c575229e4&sdisplaylang=en.
41. ODADUGU, N. AND RESCORLA, E. 2004. The design and implementation of Datagram TLS. In Proceedings of the Network and Distributed System Security Symposium (NDSS). to appear.
42. NIELSEN, J. 1993. Usability Engineering. Academic Press, Boston, MA. ISBN 0-12-518405-0.
43. PFTIZMANN, A., PFTIZMANN, B., SCHUNTER, M., AND WAIDNER, M. 1999. Trustworthy user devices. In Multilateral Security in Communications, G. Muller and K. Rannenberg, eds. Addison-Wesley, 137-156.
44. Earlier version: Trusting mobile user devices and security modules. IEEE Comput. 30, 2 (Feb.), 61-68.
45. RESCORLA, E. 2000. SSL and TLS: Designing and Rebuilding Secure Systems. Addison-Wesley.
46. RUBIN, A. D. 1995. Trusted distribution of software over the Internet. In Proceedings of the Symposium on Network and Distributed System Security, 47-53.
47. SANTESSON, S., HOUSLEY, R., AND FREEMAN, T 2004. Internet X.509 public key infrastructure: Logotypes in X.509 certificates. Internet RFC 3709, Internet Engineering Task Force. http://www.ietf.org/rfc/rfc3709.txt.
48. SCHECHTER, S., DHAMIJA, R., OZMENT, A., AND FISCHER, I. 2007. The emperor's new security indicators. In Proceedings of the IEEE Symposium on Security and Privacy, to appear.
49. SECURITY FOCUS. 2003. Multiple browser URI display obfuscation weakness. http://www.securityfocus.com/bid/9182/discussion/.
50. TALLY, G., THOMAS, R., AND VAN VLECK, T. 2004. Anti-Phishing: Best practices for institutions and consumers. McAfee Research. March. http://www.networkassociates.com/us/.tier2/ products/_media/mcafee.wp_antiphishing.pdf.
51. TAY, H. 2004. Visual validation of SSL certificates in the Mozilla browser using hash images. Computer Science Honors thesis, School of Computer Science, Carnegie Mellon University.
52. WEBTRUST. 2004. Frequently asked questions about WebTrust. The American Institute of Certified Public Accountants.
53. WHITTEN, A. AND TYGAR, J. D. 1999. Why Johnny can't encrypt: A usability evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium.
54. Wu, M., MILLER, R. C., AND GARFINKEL, S. L. 2006. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montreal, Quebec, Canada, 601-610.
55. YAHOO, INCORPORATED. 2006. Give password scams the boot with personalized sign-in seals. https://protect.login.yahoo.com/.
56. YE, E. Z., YUAN, Y., AND ANTHONY, D. 2005. Trusted paths for browsers. ACM Trans. Inf. Syst. Security 8, 2 (May), 153-186.
57. YE, E. Z., YUAN, Y., AND SMITH, S. 2002. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417. February.
58. YEE, K. P. 2002. User interaction design for secure systems. Tech. Rep. CSD-02-1184, University of California, Berkeley. May.
59. YEE, K. P. AND SITAKER, K. 2006. Passpet: Convenient password management and phishing protection. In Proceedings of the 2nd Symposium on Usable Privacy and Security, 32-43.
60. ZIMMERMAN, P. R. 1995. The Official PGP User's Guide. MIT Press, Boston, MA.