Phishing

By.
Durgeshwar Singh

Conventional Aspects of Security

Computational assumptions
E.g., existence of a one-way function, RSA assumption,
Decision Diffie-Hellman

Adversarial model
E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals

Verification methods
Cryptographic reductions to assumptions, BAN logic

Implementation aspects
E.g., will the communication protocol leak information that
is considered secret in the application layer?

The human factor of security

Deceit

Neglect

Configuration

The human factor: configuration

Weak passwords
With Tsow, Yang, Wetzel: Warkitting: the Drive-by Subversion
of Wireless Home Routers
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)

te
ss
a
e
l
d
e
Wir are up
w
firm

wardriving
rootkitting

Shows that more than

50% of APs are vulnerable

The human factor: configuration

Weak passwords
With Stamm, Ramzan: Drive-By Pharming
(Symantec press release, Feb 15, 2007; top story on Google Tech
news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we
think all APs but Apples are at risk. Firmware update tested on only a
few. Paper in submission)

m
a
r
v
n
s
s
e
el
r
i
ing
t
t
W
e
s
e
u
val

Use DNS server x.x.x.x

And worse: geographic spread!

The human factor: neglect

The human factor: deceit

(Threaten/disguise - image credit to Ben Edelman)

The human factor: deceit

Self: Modeling and Preventing Phishing Attacks

(Panel, Financial Crypto, 2005 - notion of spear phishing)

With Jagatic, Johnson, Menczer: Social Phishing

(Communications of the ACM, Oct 2007)

With Finn, Johnson: Why and How to Perform

Fraud Experiments
(IEEE Security and Privacy,March/April 2008)

Experiment Design

Gender Effects
80%
70%

Success Rate

60%
50%
40%
30%
20%
10%
0%

To Any
From
Any

To Female
From
Female

To Male
From
Male

To Male

To Female

To Any

From Male

53%

78%

68%

From Female

68%

76%

73%

From Any

65%

77%

72%

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features (WWW, 2006)

Reality:

1
A
4

eBay

3 credentials

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features (WWW, 2006)

Attack:

1 (spoof)
2 credentials

Ethical and accurate assessments

With Ratkiewicz Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features (WWW, 2006)

Experiment:

3(

sp
oo
f)

1
A

B
1

5 eBay
4 credentials

Yield (incl spam filtering loss): 11% +-3% eBay greeting removed: same

Mutual
authentication
in the real world
With Tsow,Shah,Blevis,Lim,
What Instills Trust? A
Qualitative Study of Phishing
(Abstract at Usable Security,
2007)

starting with 4901

How does the typical Internet

user identify phishing?

Spear Phishing and Data Mining

Current attack style:

Approx 3% of adult Americans report to have been victimized.

Spear Phishing and Data Mining

More sophisticated attack style:

context aware attack

How can information be derived?

Jane Smith

Jose Garcia

Jane Garcia, Jose Garcia

and little Jimmy Garcia

Lets start from the end!

Little Jimmy
his parents

their marriage
license

and Jimmys mothers maiden name: Smith

More reading: Griffith and Jakobsson, "Messin' with Texas:
Deriving Mother's Maiden Names Using Public Records."

www.browser-recon.info

Approximate price list:

PayPal user id + password
+ challenge questions

Why?

$1
$15

Password Reset:
Typical Questions

Make of your first car

Mothers maiden name
City of your birth
Date of birth
High school you graduated from
First name of your / your sisters best friend
Name of your pet
How much wood would a woodchuck

Problem 1: Data Mining

Make of your first car?
Until 1998, Ford has >25% market share

First name of your best friend?

10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help

Name of your first / favorite pet?

Top pet names are online

Problem 2: People Forget

Name of the street you grew up on?
There may have been more than one

First name of your best friend / sisters best

friend?
Friends change, what if you have no sister?

City in which you were born?

NYC? New York? New York City? Manhattan? The Big
Apple?

People lie to increase security then forget!

Intuition
Preference-based authentication:
preferences are more stable than longterm memory (confirmed by psychology
research)
preferences are rarely documented (in
contrast to city of birth, brand of first car,
etc.) especially dislikes!

Our Approach (1)

Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

Our Approach (2)

And next?

http://www. democratic-party.us/LiveEarth

http://www. democratic-party.us/LiveEarth

Countermeasures?
Technical
Better filters
CardSpace
OpenId

Educational
SecurityCartoon
Suitable user interfaces

Legal

Interesting?
Internships at PARC / meet over coffee / etc.

markus.jakobsson@parc.com