March 30, 2006

T3 3/30: The Battle Against Phishing: Dynamic Security Skins

Talks, Visitors

We are please to host Rachna Dhamija, a security researcher at Harvard and former student of Doug Tygar’s at Berkeley, on an extremely timely topic: novel approaches for helping users secure their own experiences online.


To design systems and interfaces to shield users from fraudulent
websites, it is important to know which attack strategies are
successful and why users are deceived. In this talk, I will present
empirical evidence about phishing attack strategies that are
successful at deceiving general users. We conducted a usability study
in which 22 participants were shown 20 web sites and asked to
determine which ones were fraudulent. The best phishing sites fooled
90% of participants. We found that 23% of the participants did not
look at browser-based cues such as the address bar, status bar and
the security indicators, leading to incorrect choices 40% of the
time. We also found that some visual deception attacks can fool even
the most sophisticated users. These results illustrate that standard
security indicators are not effective for a substantial fraction of
users, and suggest that alternative approaches are needed.

I will present a new scheme, Dynamic Security Skins, that allows a
remote web server to prove its identity in a way that is easy for a
human user to verify and hard for an attacker to spoof. We use two
novel interaction techniques to prevent spoofing. First, we propose a
browser extension that provides a trusted window dedicated to
username and password entry. We use a photographic image to create a
trusted path between the user and this window to prevent spoofing of
the window and of the text entry fields. Second, our scheme allows
the remote server to generate a unique abstract image for each user
and each transaction. This image creates a “skin” that automatically
customizes the browser window or the user interface elements in the
content of a remote web page.

In contrast to other proposals, our scheme places a very low burden
on the user in terms of effort, memory and time. To authenticate
himself, the user has to recognize only one image and remember one
low entropy password, no matter how many servers he wishes to
interact with. To authenticate
content from an authenticated server, the user only needs to perform
one visual matching operation to compare two images. Furthermore, it
a high burden of effort on an attacker to spoof customized security

More information is available at