ACM Digital Library home
ACM home
Advanced Search
10.1145/1124772.1124863acmconferencesArticle/Chapter ViewAbstractPublication PageschiConference Proceedings
Article

Do security toolbars actually prevent phishing attacks?

Publication: CHI '06: Proceedings of the SIGCHI Conference on Human Factors in Computing SystemsApril 2006 Pages 601–610https://doi.org/10.1145/1124772.1124863
  • 287citation
  • 4,364
    • Downloads
Metrics
Total Citations287
Total Downloads4,364
Last 12 Months410
Last 6 weeks26

ABSTRACT

Security toolbars in a web browser show security-related information about a website to help users detect phishing attacks. Because the toolbars are designed for humans to use, they should be evaluated for usability -- that is, whether these toolbars really prevent users from being tricked into providing personal information. We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars' warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be.

References

  1. Anti-Phishing Working Group. eBay -- NOTICE eBay Obligatory Verifying - Invalid User Information. March 9, 2004. http://www.antiphishing.org/phishing_archive/ eBay_03-09-04.htmGoogle ScholarGoogle Scholar
  2. Anti-Phishing Working Group. Phishing Activity Trends Report, March 2005. http://antiphishing.org/ APWG_Phishing_Activity_Report_March_2005.pdfGoogle ScholarGoogle Scholar
  3. Bank, D. 'Spear Phishing' Tests Educate People About Online Scams. The Wall Street Journal. August 17, 2005.Google ScholarGoogle Scholar
  4. BBC News. Passwords revealed by sweet deal. http://news.bbc.co.uk/1/hi/technology/3639679.stmGoogle ScholarGoogle Scholar
  5. Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C. Client-Side Defense Against Web-Based Identity Theft. 11th Annual Network and Distributed System Security Symposium (2004).Google ScholarGoogle Scholar
  6. Dhamija, R. Tygar, J.D. The Battle Against Phishing: Dynamic Security Skins. Symposium on Usable Privacy and Security (2005), pp. 77--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. eBay Toolbar and Account Guard. http://pages. ebay.com/help/confidence/account-guard.htmlGoogle ScholarGoogle Scholar
  8. Emigh, A. Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures. ITTC Report on Online Identity Theft Technology and Countermeasures. October 3, 2005. http://www.antiphishing.org/Phishing-dhs-report.pdfGoogle ScholarGoogle Scholar
  9. Federal Bureau of Investigation, Department of Justice. FBI Says Web 'Spoofing' Scams are a Growing Problem. 2003. http://www.fbi.gov/pressrel/pressrel03 /spoofing072103.htmGoogle ScholarGoogle Scholar
  10. Fluendy, S. Phishing targeting online outlets. Computer Crime Research Center. March 16, 2005. http://www. crime-research.org/news/03.16.2005/1050/Google ScholarGoogle Scholar
  11. Fogg, B.J, et al. What makes Web sites credible?: a report on a large quantitative study. CHI 2001, pp. 61--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Google Safe Browsing for Firefox. 2005. http://www.google.com/tools/firefox/safebrowsing/.Google ScholarGoogle Scholar
  13. Herzberg, A., Gbara, A. TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. 2004. http://www.cs.biu.ac.il/~herzbea/Papers/ecommerce/spoofing.htm.Google ScholarGoogle Scholar
  14. Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F. Social Phishing. School of Informatics & Dept. of Computer Science, Indiana University. 2005. http:// informatics.indiana.edu/fil/Net/social_phishing.pdfGoogle ScholarGoogle Scholar
  15. Leyden, J. US phishing losses hit $500m. The Register. September 29, 2004.Google ScholarGoogle Scholar
  16. Netcraft Toolbar. 2004. http://toolbar.netcraft.com/.Google ScholarGoogle Scholar
  17. Norman, D. A. Design rules based on analyses of human error. CACM, v26 n4 (April 1983), pp. 254--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. PassMark. 2005. http://www.passmarksecurity.com/Google ScholarGoogle Scholar
  19. Sharif, T. Phishing Filter in IE7, September 9, 2006. http://blogs.msdn.com/ie/archive/2005/09/09/463204.aspxGoogle ScholarGoogle Scholar
  20. SpoofStick. 2004. http://www.spoofstick.com/.Google ScholarGoogle Scholar
  21. Sullivan, B. Consumers still falling for phish. MSNBC. July 28, 2004. http://www.msnbc.msn.com/id/5519990/Google ScholarGoogle Scholar
  22. Whalen, T., Inkpen, K. Gathering Evidence: Use of Visual Security Cues in Web Browsing. Graphics Interface 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Whitten, A., Tygar, J.D. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. 8th Usenix Security Symposium, 1999, pp. 169--184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Wu, M., Garfinkel, S., Miller, R. Secure Web Authentication with Mobile Phones. DIMACS Workshop on Usable Privacy and Security Software, 2004.Google ScholarGoogle Scholar

Index Terms

  1. Do security toolbars actually prevent phishing attacks?

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      Get this Publication

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      View Table of Contents
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!