Skip to main content
SpringerLink
Log in

SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention

  • Chapter
  • First Online:
The New Codebreakers

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9100))

  • 2551 Accesses

Abstract

We describe a novel approach to reduce the impact of spoofing by a subtle change in the login process. At the heart of our contribution is the understanding that current anti-spoof technologies fail largely as a result of the difficulties to communicate security and risk to typical users. Accordingly, our solution is oblivious to whether the user was tricked by a fraudster or not. We achieve that by modifying the user login process, and letting the browser or operating system cause different results of user login requests, based on whether the site is trusted or not. Experimental results indicate that our new approach, which we dub “SpoofKiller”, will address approximately 80% of spoofing attempts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    It is against the terms of service of Amazon to ask a user to install a piece of software. While we used the payment methods associated with Amazon Mechanical Turk to pay participants, we did not use their services to recruit participants, and so, did not break the terms of service. These users had voluntarily provided contact information in previous interactions, and were contacted in this manner to ask whether they would like to participate.

References

  1. Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-side defense against web-based identity theft (2004)

    Google Scholar 

  2. Daniel, P.: Android users demographics, 19 November 2010. http://www.phonearena.com/news/Android-users-demographics_id14786/

  3. Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005. ACM, New York, pp. 77–88 (2005)

    Google Scholar 

  4. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors Incomputing Systems, CHI 2006. ACM, New York, pp. 581–590 (2006)

    Google Scholar 

  5. Felten, E.W., Balfanz, D., Dean, D., Wallach, D.S.: Web spoofing: an internet con game. Technical report 540-96, Department of Computer Science, Princeton University, February 1997. http://www.cs.princeton.edu/sip/pub/spoofing.pdf

  6. Fette, I., Sadeh, N., Tomasic, A.: Learning to detect phishing emails. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007. ACM, New York, pp. 649–656 (2007)

    Google Scholar 

  7. Fulcher, E.: Cognitive psychology (2003). http://www.eamonfulcher.com/CogPsych/page5.htm

  8. Garera, S., Provos, N., Chew, M., Rubin, A.D.: A framework for detection and measurement of phishing attacks. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM 2007. ACM, New York, pp. 1–8 (2007)

    Google Scholar 

  9. Garfinkel, S.L., Miller, R.C.: Johnny 2: a user test of key continuity management with s/mime and outlook express. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS 2005. ACM, New York, pp. 13–24 (2005)

    Google Scholar 

  10. Goldberg, I.: e-gold stomps on phishing?, July 2004. http://www.financialcryptography.com/mt/archives/000190.html

  11. Herzberg, A.: Why Johnny can’t surf (safely)? attacks and defenses for web users. Comput. Secur. 28(1–2), 63–71 (2009)

    Article  Google Scholar 

  12. Herzberg, A., Gbara, A.: Security and identification indicators for browsers against spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155 (2004)

    Google Scholar 

  13. Ivan Petrovich Pavlov, G.V.A.: Conditioned reflexes : an investigation of the physiological activity of the cerebral cortex. Dover Publications, September 2003

    Google Scholar 

  14. Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 281–293. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)

    Article  Google Scholar 

  16. Jakobsson, M., Ratkiewicz, J.: Designing ethical phishing experiments: a study of (ROT13) rOnl query features. In: WWW 2006: Proceedings of the 15th International Conference on World Wide Web. ACM, New York, pp. 513–522 (2006)

    Google Scholar 

  17. Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.: What instills trust? a qualitative study of phishing. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 356–361. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  18. Kirlappos, I., Sasse, M.A.: Security education against phishing: a modest proposal for a major re-think. IEEE Secur. Priv. 10(2), 24–32 (2011)

    Article  Google Scholar 

  19. Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L.F., Hong, J.: Getting users to pay attention to anti-phishing education: evaluationof retention and transfer. In: Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit, eCrime 2007. ACM, New York, pp. 70–81 (2007)

    Google Scholar 

  20. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing is believing; using camera phones for human verifiable authentication. Int. J. Secur. Netw. 4, 43–56 (2009)

    Article  Google Scholar 

  21. Riegelsberger, J., Sasse, M.A., McCarthy, J.D.: The mechanics of trust: a framework for research and design. Int. J. Hum.-Comput. Stud. 62, 381–422 (2005)

    Article  Google Scholar 

  22. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley, vol. 14, p. 2 (2005)

    Google Scholar 

  23. Srikwan, S., Jakobsson, M.: Using cartoons to teach Internet security. Cryptologia 32(2), 137–154 (2008)

    Article  Google Scholar 

  24. Stajano, F., Wilson, P.: Understanding scam victims: seven principles for systems security. Commun. ACM 54, 70–75 (2011)

    Article  Google Scholar 

  25. Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, SOUPS 2010. ACM, New York, pp. 11:1–11:16 (2010)

    Google Scholar 

  26. Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: Proceedings of Graphics Interface 2005, GI 2005, School of Computer Science, University of Waterloo. Canadian Human-Computer Communications Society, Waterloo, Ontario, Canada, pp. 137–144 (2005)

    Google Scholar 

  27. Woolston, L.: Mobclix index: android marketplace, 17 November 2010. http://blog.mobclix.com/2010/11/17/mobclix-index-android-marketplace/

  28. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the SIGCHI Conference on Human Factors Incomputing Systems, CHI 2006. ACM, New York, pp. 601–610 (2006)

    Google Scholar 

  29. Wu, M., Miller, R.C., Little, G.: Web wallet: preventing phishing attacks by revealing user intentions. In: Proceedings of the Second Symposium on Usable Privacy and Security, SOUPS 2006. ACM, New York, pp. 102–113 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ZapFraud Inc, Portola Valley, CA, USA

    Markus Jakobsson

  2. NYU Tandon School of Engineering, New York, USA

    Hossein Siadati

Authors
  1. Markus Jakobsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Hossein Siadati
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markus Jakobsson .

Editor information

Editors and Affiliations

  1. Université du Luxembourg , Luxembourg, Luxembourg

    Peter Y. A. Ryan

  2. Ecole normale supérieure , Paris, France

    David Naccache

  3. Université Catholique de Louvain , Louvain-la-Neuve, Belgium

    Jean-Jacques Quisquater

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Jakobsson, M., Siadati, H. (2016). SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention . In: Ryan, P., Naccache, D., Quisquater, JJ. (eds) The New Codebreakers. Lecture Notes in Computer Science(), vol 9100. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49301-4_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49301-4_13

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49300-7

  • Online ISBN: 978-3-662-49301-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation