In 2009, I was motivated by a study "Why Phishing Works" to do a personal research project for a potential solution. The study illustrated that standard security indicators are not effective for a substantial fraction of users. The main reason for such a behavior is because these cues are outside of the user’s periphery or focus of attention. This is where PhishMeNot FormAdvisor comes into play. It shows the relevant information where it matters and where people are looking in a non-intrusive way. As a proof-of-concept, I implemented the concept to highlight the fields of an html form that requests personal information e.g., password, credit card, etc. A field is highlighted with a shield icon which comes in three flavors; green, red, and orange.
Green shield: Information is submitted over HTTPS.
Red shield: Information is submitted over HTTP.
Orange shield: Can't determine the URL where information is submitted.A non-intrusive window informs the user where the personal information is submitted as soon as user begins typing into the field. Some screen-shots:
Please note: I do not maintain PhishMeNot.com website and is not active but there are references on the Internet (see: here, here, here) that show that it existed and the idea existed.
Two studies published after PhishMeNot FormAdvisor use the similar idea. "Using Data Type Based Security Alert Dialogs to Raise Online Security Awareness" shows that the concept is very well accepted by the users and that non-expert participants were more likely to identify fraudulent (or phishing) websites than using the standard browser warnings. "An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack" used the same idea for a user study as a protection against SSLstriping attack and results show that the approach is more promising than the traditional pop-up method adopted by major web browsers.
No comments:
Post a Comment