Rachna Dhamija

Why phishing works

To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.

Animated exploration of dynamic graphs with radial layout

We describe a new animation technique for supporting interactive exploration of a graph. We use the well-known radial tree layout method, in which the view is determined by the selection of a focus node. Our main contribution is a method for animating the transition to a new layout when a new focus node is selected. In order to keep the transition easy to follow, the animation linearly interpolates the polar coordinates of the nodes, while enforcing ordering and orientation constraints. We apply this technique to visualizations of social networks and of the Gnutella file-sharing network, and discuss the results from our informal usability tests.

The Seven Flaws of Identity Management: Usability and Security Challenges

Web identity management systems are complex systems with powerful features - and many potential vulnerabilities. They aim to facilitate the management of identifiers, credentials, personal information, and the presentation of this information to other parties. In many schemes, an identity provider (IdP) issues identities or credentials to users, while a relying party (RP) depends on the IdP to check the user credentials before it allows users access to Web site services. By separating the role of and IdP from the RP, identity management systems let users leverage one identifier across multiple Web services.

Phish and HIPs: human interactive proofs to detect phishing attacks

In this paper, we propose a new class of Human Interactive Proofs (HIPs) that allow a human to distinguish one computer from another. Unlike traditional HIPs, where the computer issues a challenge to the user over a network, in this case, the user issues a challenge to the computer. This type of HIP can be used to detect phishing attacks, in which websites are spoofed in order to trick users into revealing private information. We define five properties of an ideal HIP to detect phishing attacks. Using these properties, we evaluate existing and proposed anti-phishing schemes to discover their benefits and weaknesses. We review a new anti-phishing proposal, Dynamic Security Skins (DSS), and show that it meets the HIP criteria. Our goal is to allow a remote server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. In our scheme, the web server presents its proof in the form of an image that is unique for each user and each transaction. To authenticate the server, the user can visually verify that the image presented by the server matches a reference image presented by the browser.

Hash visualization in user authentication

Although research in security has made tremendous progress over the past few years, most security systems still suffer by failing to account for human factors. People are slow and unreliable at processing long and meaningless strings, yet many security applications depend on this skill. For example, a major problem in user authentication is that people have difficulties in choosing and memorizing secure passwords. In this paper, we have investigated how the usability and security of user authentication systems can be improved by replacing text strings with structured images.

Erratum to: Financial Cryptography and Data Security

Erratum to: S. Dietrich and R. Dhamija (Eds.) Financial Cryptography and Data Security DOI: 10.1007/978-3-540-77366-5