User Interaction Design for Secure Systems
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
Proceedings of the 11th USENIX Security Symposium
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
A Nitpicker's guide to a minimal-complexity secure GUI
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Decision strategies and susceptibility to phishing
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Design of the EROS trusted window system
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
WWW electronic commerce and java trojan horses
WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Are your participants gaming the system?: screening mechanical turk workers
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
ICISC'02 Proceedings of the 5th international conference on Information security and cryptology
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
The nocebo effect on the web: an analysis of fake anti-virus distribution
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
An analysis of rogue AV campaigns
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Bridging the Gap in Computer Security Warnings: A Mental Model Approach
IEEE Security and Privacy
Visual spoofing of SSL protected web sites and effective countermeasures
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
Your attention please: designing security-decision UIs to make genuine risks harder to ignore
Proceedings of the Ninth Symposium on Usable Privacy and Security
On the ecological validity of a password study
Proceedings of the Ninth Symposium on Usable Privacy and Security
Hi-index | 0.00 |
When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password.