Sandesh Kuckian ('11) studied in the UO library in the LEED gold certified White Stag building in Old Town, Portland.

Applied Research

Connect with AIM

Subscribe to eBriefings

Subscribe to the AIM newsletter

Feedback

Do you have a question or comment? We would love to hear from you. Get in touch.

Pictured Above

Sandesh Kuckian ('11) studied in the UO library in the LEED gold certified White Stag Block in Old Town, Portland.

Designing Successful Anti-Phishing Applications To Protect Home Computer Users

In Brief: Phishing attacks against home computer users are on the rise as more people use the Internet to complete electronic transactions. This technology-era scheme typically lures victims into providing their personal information using spoofed, but legitimate-looking Web sites or downloading malicious software which searches their computers for personal information and transmits it to attackers via the Internet.

The purpose of this literature review, which includes 32 references, is to identify the fundamental design principles that user interface designers and developers who are not trained in the field of usability and security — also known as HCI-Sec — can use to create secure and usable anti-phishing applications.

Phishing attacks against home computer users are on the rise as more people use the Internet to complete electronic transactions.

The review is organized into three sections: 1) How phishing attacks are carried out and why they are successful (see Figure 1); 2) Effective user interface design principles that combat phishing; and 3) Learning principles and techniques that can help create a successful anti-phishing solution.

Developing successful solutions depends on clearly understanding current and future threats. To this end, the review examines current phishing techniques and anticipated risks, including why home computer users fall for phishing attacks. For example, for phishing attacks to be successful, they must reach appropriate victims, appear credible, and allow the attacker to disappear undetected. The more educated users are about their informational security, however, the more effective are the associated anti-phishing solutions.

The paper goes on to report on important usability issues with Web browsers and current anti-phishing tools, and proposes design principles intended to improve the transparency and visibility of these tools and applications.

Finally, as the paper looks to the future, it recognizes that most phishing is conducted from multiple countries and that trend is expected to expand throughout the world. Further, it is likely that smaller scale attacks that leverage partial information about fewer victims and result in higher success rates will increase.

Figure 1—Information flow of a typical phishing attack.

References

Berghel, H., Carpinter, J., & Jo, J.-Y. (2007). Phish Phactors: Offensive and Defensive Strategies. Advances in Computers, 70, 223-268. Retrieved November 3, 2007, from Web of Science database.
Dhamija, R., & Tygar, J. D. (2005a). The Battle Against Phishing: Dynamic Security Skins. Proceedings of the 2005 Symposium on Usable Privacy and Security, USA, 93, 77-88. Retrieved October 29, 2007, from ACM Digital Library.
Emigh, A. (2005). Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures. Retrieved November 19, 2007, from Radix Labs.
Garfinkel, S. (2005). Design Principles and Patterns for Computer Systems that are Simultaneously Secure and Usable. Doctoral dissertation, Massachusetts Institute of Technology. Retrieved October 23, 2007, from WorldCat index.
Jakobsson, M. (2005). Modeling and Preventing Phishing Attacks. Retrieved November 13, 2007, from Indiana University, School of Informatics website.
Jakobsson, M. (2007). The Human Factor in Phishing. Retrieved November 21, 2007, from Indiana University, School of Informatics website.
Robila, S. A., & Ragucci, J. W. (2006). Don’t be a Phish: Steps in User Education. Proceedings of the Eleventh Annual SIGCSE Conference on Innovation and Technology in Computer Science Education, Italy, pp. 237-241. Retrieved November 19, 2007, from ACM Digital Library.
Wu, M., Miller, R. C., & Garfinkel, S. L. (2006). Do Security Toolbars Actually Prevent Phishing Attacks? Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Canada, pp. 601-610. Retrieved October 28, 2007, from ACM Digital Library.
Wu, M., Miller, R. C., & Little, G. (2006). Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. Proceedings of the Second Symposium on Usable Privacy and Security, USA, pp. 102-113. Retrieved October 28, 2007, from ACM Digital Library.

Melinda Geist

Research Paper Author: Melinda Geist, Intel Corporation—2008 AIM Graduate

Abstract: As home computer users increase dependency on the Internet to complete electronic transactions, the need to resolve phishing vulnerabilities in the user interface becomes more urgent (Dhamija & Tygar, 2005a). Selected literature published between 2004 and 2007 is analyzed to provide designers and developers of anti-phishing applications with a set of fundamental user-centered design principles to consider prior to system design and technology solutions selection. The significance of anti-phishing user education is also examined.