The Battle Against Phishing: Dynamic Security Skins

[attachment=16283]

INTRODUCTION
Phishing is a model problem for usability concerns in privacy
and security because both system designers and attackers battle
in the user interface space. Careful analysis of the phishing


2. SECURITY PROPERTIES
Why is security design for phishing hard? As we discuss in
Section 7 and elsewhere [6], a variety of researchers have
proposed systems designed to thwart phishing; yet these
systems appear to be of limited success. Here are some
properties that come into play:



2. The general purpose graphics property. Operating systems
and windowing platforms that permit general purpose graphics
also permit spoofing. The implications of this property are
important: if we are building a system that is designed to resist
spoofing we must assume that uniform graphic designs can be
easily copied. As we will see in next section, phishers use this
property to their advantage in crafting many types of attacks.

3. The golden arches property. Organizations invest a great
deal to strengthen their brand recognition and to evoke trust in
those brands by consumers. Just as the phrase “golden arches”
is evocative of a particular restaurant chain, so are distinct
logos used by banks, financial organizations, and other entities
storing personal data. Because of the massive investment in
advertising designed to strengthen this connection, we must go
to extraordinary lengths to prevent people from automatically


3. TASK ANALYSIS
The Anti Phishing Working Group [APWG] maintains a
“Phishing Archive” describing phishing attacks dating back to
September 2003 [9]. Reviewing these reports, we constructed a
task analysis of the methods and necessary skills for a user to
detect a phishing attack. Space limitations prevent us from
presenting the full task analysis here; it is available in a
companion report [10]. Here we summarize our findings


Trusted Path to the Password Window
How can a user trust the client display when every user interface
element in that display can be spoofed? We propose a solution
in which the user shares a secret with the display, one that can
not be known or predicted by any third party. To create a
trusted path between the user and the display, the display must
first prove to the user that it knows this secret.


Secure Remote Password Protocol
It is well known that users have difficulty in remembering
secure passwords. Users choose passwords that are meaningful
and memorable and that as a result, tend to be “low entropy” or
predictable. Because human memory is faulty, many users will
often use the same password for multiple purposes.



5.3 Man-in-the-Middle Attacks
SRP prevents a classic man-in-the middle attack, however a
“visual man-in-the-middle” attack is still possible if an
attacker can carefully overlay rogue windows on top of the
trusted window or authenticated browser windows. As
discussed in Section 4, we have specifically designed our
windows to make this type of attack very difficult to execute.

5.4 Spoofing the Trusted Window
Because the user enters his password in the trusted password
window, it is crucial that the user be able to recognize his own
customized window and to detect spoofs. If the number of
options for personalization is limited, phishers can try to
mimic any of the available choices, and a subset of the
population will recognize the spoofed setting as their own
(especially if there is a default option that is selected by many
users).
assigning trust based on logos alone.