What makes Web sites credible?: a report on a large quantitative study
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Users' conceptions of risks and harms on the web: a comparative study
CHI '02 Extended Abstracts on Human Factors in Computing Systems
Users' conceptions of web security: a comparative study
CHI '02 Extended Abstracts on Human Factors in Computing Systems
How do users evaluate the credibility of Web sites?: a study with over 2,500 participants
Proceedings of the 2003 conference on Designing for user experiences
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
A Trust Model for Consumer Internet Shopping
International Journal of Electronic Commerce
Authentication for humans: the design and evaluation of usable security systems
Authentication for humans: the design and evaluation of usable security systems
What do they "indicate?": evaluating security and privacy indicators
interactions - A contradiction in terms?
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Decision strategies and susceptibility to phishing
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
The methodology and an application to fight against Unicode attacks
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Trusted-link: web-link enhancement for integrity and trustworthiness
Proceedings of the second ACM workshop on Digital identity management
Looking for trouble: understanding end-user security management
Proceedings of the 2007 symposium on Computer human interaction for the management of information technology
Noticing notice: a large-scale experiment on the timing of software license agreements
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Protecting people from phishing: the design and evaluation of an embedded training email system
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Cantina: a content-based approach to detecting phishing web sites
Proceedings of the 16th international conference on World Wide Web
Learning to detect phishing emails
Proceedings of the 16th international conference on World Wide Web
Tracking website data-collection and privacy practices with the iWatch web crawler
Proceedings of the 3rd symposium on Usable privacy and security
Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish
Proceedings of the 3rd symposium on Usable privacy and security
Queue - Web Development
Behavioral response to phishing risk
Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
Getting users to pay attention to anti-phishing education: evaluation of retention and transfer
Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
A framework for detection and measurement of phishing attacks
Proceedings of the 2007 ACM workshop on Recurring malcode
Beamauth: two-factor web authentication with a bookmark
Proceedings of the 14th ACM conference on Computer and communications security
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
ACM SIGACT News
Communications of the ACM - The psychology of security: why do good users make bad decisions?
Learn to Detect Phishing Scams Using Learning and Ensemble ?Methods
WI-IATW '07 Proceedings of the 2007 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Workshops
Itrustpage: a user-assisted anti-phishing tool
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
Measuring trust in wi-fi hotspots
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Undercover: authentication usable in front of prying eyes
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Human-in-the-loop: rethinking security in mobile and pervasive systems
CHI '08 Extended Abstracts on Human Factors in Computing Systems
Secrets and lies in computer-mediated interaction: theory, methods and design.
CHI '08 Extended Abstracts on Human Factors in Computing Systems
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
SMash: secure component model for cross-domain mashups on unmodified browsers
Proceedings of the 17th international conference on World Wide Web
Provably secure browser-based user-aware mutual authentication over TLS
Proceedings of the 2008 ACM symposium on Information, computer and communications security
A framework for reasoning about the human in the loop
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
iPhish: phishing vulnerabilities on consumer electronics
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
RUST: a retargetable usability testbed for website authentication technologies
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
A user study design for comparing the security of registration protocols
UPSEC'08 Proceedings of the 1st Conference on Usability, Psychology, and Security
Behind phishing: an examination of phisher modi operandi
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Security and identification indicators for browsers against spoofing and phishing attacks
ACM Transactions on Internet Technology (TOIT)
Simulation for intrusion-resilient, DDoS-resistant authentication system (IDAS)
Proceedings of the 2008 Spring simulation multiconference
Analyzing websites for user-visible security design flaws
Proceedings of the 4th symposium on Usable privacy and security
On the Effectiveness of Techniques to Detect Phishing Sites
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Method for Evaluating the Security Risk of a Website Against Phishing Attacks
PAISI, PACCF and SOCO '08 Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics
Enforcing User-Aware Browser-Based Mutual Authentication with Strong Locked Same Origin Policy
ACISP '08 Proceedings of the 13th Australasian conference on Information Security and Privacy
Phishwish: A Stateless Phishing Filter Using Minimal Rules
Financial Cryptography and Data Security
Panel: Usable Cryptography: Manifest Destiny or Oxymoron?
Financial Cryptography and Data Security
Antisocial Networks: Turning a Social Network into a Botnet
ISC '08 Proceedings of the 11th international conference on Information Security
Computational challenges in e-commerce
Communications of the ACM - Rural engineering development
Using Cartoons to Teach Internet Security
Cryptologia
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
e-EMV: emulating EMV for internet payments with trusted computing technologies
Proceedings of the 3rd ACM workshop on Scalable trusted computing
Stronger TLS bindings for SAML assertions and SAML artifacts
Proceedings of the 2008 ACM workshop on Secure web services
Visual-similarity-based phishing detection
Proceedings of the 4th international conference on Security and privacy in communication netowrks
A Browser-Based Kerberos Authentication Scheme
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Exploring User Reactions to New Browser Cues for Extended Validation Certificates
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Threat Modelling in User Performed Authentication
ICICS '08 Proceedings of the 10th International Conference on Information and Communications Security
A Universally Composable Framework for the Analysis of Browser-Based Security Protocols
ProvSec '08 Proceedings of the 2nd International Conference on Provable Security
SSS '08 Proceedings of the 10th International Symposium on Stabilization, Safety, and Security of Distributed Systems
There is no free phish: an analysis of "free" and live phishing kits
WOOT'08 Proceedings of the 2nd conference on USENIX Workshop on offensive technologies
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
A service science perspective for interfaces of online service applications
Proceedings of the VIII Brazilian Symposium on Human Factors in Computing Systems
Trust modelling for online transactions: a phishing scenario
Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
"When I am on Wi-Fi, I am fearless": privacy concerns & practices in eeryday Wi-Fi use
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Fraudulent and malicious sites on the web
Applied Intelligence
Usability meets access control: challenges and research opportunities
Proceedings of the 14th ACM symposium on Access control models and technologies
Secure Pairing of "Interface-Constrained" Devices Resistant against Rushing User Behavior
ACNS '09 Proceedings of the 7th International Conference on Applied Cryptography and Network Security
Social applications: exploring a more secure framework
Proceedings of the 5th Symposium on Usable Privacy and Security
School of phish: a real-world evaluation of anti-phishing training
Proceedings of the 5th Symposium on Usable Privacy and Security
Counteracting Phishing Page Polymorphism: An Image Layout Analysis Approach
ISA '09 Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance
Scalable Detection and Isolation of Phishing
AIMS '09 Proceedings of the 3rd International Conference on Autonomous Infrastructure, Management and Security: Scalability of Networks and Services
The user is not the enemy: fighting malware by tracking user intentions
Proceedings of the 2008 workshop on New security paradigms
User-aware provably secure protocols for browser-based mutual authentication
International Journal of Applied Cryptography
Security and usability: the gap in real-world online banking
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Risks of the CardSpace Protocol
ISC '09 Proceedings of the 12th International Conference on Information Security
Adaptive Security Dialogs for Improved Security Behavior of Users
INTERACT '09 Proceedings of the 12th IFIP TC 13 International Conference on Human-Computer Interaction: Part I
Authenticating ubiquitous services: a study of wireless hotspot access
Proceedings of the 11th international conference on Ubiquitous computing
CSNA '07 Proceedings of the IASTED International Conference on Communication Systems, Networks, and Applications
Mixed-initiative security agents
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Browser interfaces and extended validation SSL certificates: an empirical study
Proceedings of the 2009 ACM workshop on Cloud computing security
TruWallet: trustworthy and migratable wallet-based web authentication
Proceedings of the 2009 ACM workshop on Scalable trusted computing
The effects of introspection on creating privacy policy
Proceedings of the 8th ACM workshop on Privacy in the electronic society
A comparative study of secure device pairing methods
Pervasive and Mobile Computing
HumanBoost: Utilization of Users' Past Trust Decision for Identifying Fraudulent Websites
ICONIP '09 Proceedings of the 16th International Conference on Neural Information Processing: Part II
So long, and no thanks for the externalities: the rational rejection of security advice by users
NSPW '09 Proceedings of the 2009 workshop on New security paradigms workshop
Visual security is feeble for anti-phishing
ASID'09 Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication
Depress phishing by CAPTCHA with OTP
ASID'09 Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communication
New filtering approaches for phishing email
Journal of Computer Security - EU-Funded ICT Research on Trust and Security
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Trained to accept?: a field experiment on consent dialogs
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Detecting visually similar Web pages: Application to phishing detection
ACM Transactions on Internet Technology (TOIT)
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
SSLock: sustaining the trust on entities brought by SSL
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Find me if you can: improving geographical prediction with social and spatial proximity
Proceedings of the 19th international conference on World wide web
A zero knowledge password proof mutual authentication technique against real-time phishing attacks
ICISS'07 Proceedings of the 3rd international conference on Information systems security
An evaluation of extended validation and picture-in-picture phishing attacks
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
WSKE: web server key enabled cookies
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Empirical studies on software notices to inform policy makers and usability designers
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
What instills trust? a qualitative study of phishing
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Phishing IQ tests measure fear, not ability
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Using session identifiers as authentication tokens
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Users' (mis)conceptions of social applications
Proceedings of Graphics Interface 2010
It won't happen to me: Promoting secure behaviour among internet users
Computers in Human Behavior
Authentication technologies for the blind or visually impaired
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
Secure passwords through enhanced hashing
LISA'09 Proceedings of the 23rd conference on Large installation system administration
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
Empirical analysis of internet identity misuse: case study of south Korean real name system
Proceedings of the 6th ACM workshop on Digital identity management
OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle
Proceedings of the 6th ACM workshop on Digital identity management
System security, platform security and usability
Proceedings of the fifth ACM workshop on Scalable trusted computing
TLS man-in-the-middle laboratory exercise for network security education
Proceedings of the 2010 ACM conference on Information technology education
HProxy: client-side detection of SSL stripping attacks
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
A billion keys, but few locks: the crisis of web single sign-on
Proceedings of the 2010 workshop on New security paradigms
Identifying and resolving hidden text salting
IEEE Transactions on Information Forensics and Security
Understanding the behavior of malicious applications in social networks
IEEE Network: The Magazine of Global Internetworking
On the usability of user interfaces for secure website authentication in browsers
EuroPKI'09 Proceedings of the 6th European conference on Public key infrastructures, services and applications
Enhanced email spam filtering through combining similarity graphs
Proceedings of the fourth ACM international conference on Web search and data mining
Informing security indicator design in web browsers
Proceedings of the 2011 iConference
Proposition d'une grille de critères d'analyse ergonomiques des formes de persuasion interactive
Conference Internationale Francophone sur I'Interaction Homme-Machine
CAPTCHA phishing: a practical attack on human interaction proofing
Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
Does MoodyBoard make internet use more secure?: evaluating an ambient security visualization tool
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Does domain highlighting help people identify phishing sites?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
F for fake: four studies on how we fall for phish
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Data type based security alert dialogs
CHI '11 Extended Abstracts on Human Factors in Computing Systems
Secure business process model specification through a UML 2.0 activity diagram profile
Decision Support Systems
Using one-time passwords to prevent password phishing attacks
Journal of Network and Computer Applications
Interface design elements for anti-phishing systems
DESRIST'11 Proceedings of the 6th international conference on Service-oriented perspectives in design science research
Practical elimination of external interaction vulnerabilities in web applications
Journal of Web Engineering
SSL/TLS session-aware user authentication using a GAA bootstrapped key
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Phi.sh/$oCiaL: the phishing landscape through short URLs
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Forcing johnny to login safely: long-term user study of forcing and training login mechanisms
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Johnny in internet café: user study and exploration of password autocomplete in web browsers
Proceedings of the 7th ACM workshop on Digital identity management
The power of recognition: secure single sign-on using TLS channel bindings
Proceedings of the 7th ACM workshop on Digital identity management
Communications of the ACM
Journal of Management Information Systems
The security cost of cheap user interaction
Proceedings of the 2011 workshop on New security paradigms workshop
Trusted computing enhanced user authentication with OpenID and trustworthy user interface
International Journal of Internet Technology and Secured Transactions
An empirical study of visual security cues to prevent the SSLstripping attack
Proceedings of the 27th Annual Computer Security Applications Conference
Using data type based security alert dialogs to raise online security awareness
Proceedings of the Seventh Symposium on Usable Privacy and Security
Proceedings of the Seventh Symposium on Usable Privacy and Security
What makes users refuse web single sign-on?: an empirical investigation of OpenID
Proceedings of the Seventh Symposium on Usable Privacy and Security
Proceedings of the Seventh Symposium on Usable Privacy and Security
The structure of the sense of security, anshin
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
DarkNOC: dashboard for honeypot management
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Using visual website similarity for phishing detection and reporting
CHI '12 Extended Abstracts on Human Factors in Computing Systems
A survey of client-side Web threats and counter-threat measures
Security and Communication Networks
Graphical passwords: Learning from the first twelve years
ACM Computing Surveys (CSUR)
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Impact of spam exposure on user engagement
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Abusing notification services on smartphones for phishing and spamming
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Proceedings of the 2012 ACM conference on Computer and communications security
OTO: online trust oracle for user-centric trust establishment
Proceedings of the 2012 ACM conference on Computer and communications security
Measuring SSL indicators on mobile browsers: extended life, or end of the road?
ISC'12 Proceedings of the 15th international conference on Information Security
Speculations on the science of web user security
Computer Networks: The International Journal of Computer and Telecommunications Networking
NAPTune: fine tuning graphical authentication
Proceedings of the 3rd International Conference on Human Computer Interaction
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
All your face are belong to us: breaking Facebook's social authentication
Proceedings of the 28th Annual Computer Security Applications Conference
Understanding the weaknesses of human-protocol interaction
FC'12 Proceedings of the 16th international conference on Financial Cryptography and Data Security
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Comparative eye tracking of experts and novices in web single sign-on
Proceedings of the third ACM conference on Data and application security and privacy
Proceedings of the third ACM conference on Data and application security and privacy
Sophisticated phishers make more spelling mistakes: using URL similarity against phishing
CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security
A game design framework for avoiding phishing attacks
Computers in Human Behavior
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
ScreenPass: secure password entry on touchscreen devices
Proceeding of the 11th annual international conference on Mobile systems, applications, and services
Securing web-clients with instrumented code and dynamic runtime monitoring
Journal of Systems and Software
An updated threat model for security ceremonies
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Supporting visual security cues for WebView-based Android apps
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Pirates of the search results page
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Towards preventing QR code based attacks on android phone using security warnings
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
TabShots: client-side detection of tabnabbing attacks
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
A pilot study of cyber security and privacy related behavior and personality traits
Proceedings of the 22nd international conference on World Wide Web companion
Here's my cert, so trust me, maybe?: understanding TLS errors on the web
Proceedings of the 22nd international conference on World Wide Web
Bitsquatting: exploiting bit-flips for fun, or profit?
Proceedings of the 22nd international conference on World Wide Web
Towards a secure human-and-computer mutual authentication protocol
AISC '12 Proceedings of the Tenth Australasian Information Security Conference - Volume 125
Geo-location based QR-Code authentication scheme to defeat active real-time phishing attack
Proceedings of the 2013 ACM workshop on Digital identity management
Investigating Users’ Perspectives of Web Single Sign-On: Conceptual Gaps and Acceptance Model
ACM Transactions on Internet Technology (TOIT)
Alice in warningland: a large-scale field study of browser security warning effectiveness
SEC'13 Proceedings of the 22nd USENIX conference on Security
Editorial: Special Issue on Advances in Computer Supported Collaboration: Systems and Technologies
Future Generation Computer Systems
Forcing Johnny to login safely
Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends
WebCallerID: Leveraging cellular networks for Web authentication
Journal of Computer Security
Hi-index | 0.03 |
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypotheses about why these strategies might work. We then assessed these hypotheses with a usability study in which 22 participants were shown 20 web sites and asked to determine which ones were fraudulent. We found that 23% of the participants did not look at browser-based cues such as the address bar, status bar and the security indicators, leading to incorrect choices 40% of the time. We also found that some visual deception attacks can fool even the most sophisticated users. These results illustrate that standard security indicators are not effective for a substantial fraction of users, and suggest that alternative approaches are needed.