Applied Information Management
 
News and Updates

Designing Successful Anti-Phishing Applications To Protect Home Computer Users

In Brief: Phishing attacks against home computer users are on the rise as more people use the Internet to complete electronic transactions. This technology-era scheme typically lures victims into providing their personal information using spoofed, but legitimate-looking Web sites or downloading malicious software which searches their computers for personal information and transmits it to attackers via the Internet.

The purpose of this literature review, which includes thirty two references, is to identify the fundamental design principles that user interface designers and developers who are not trained in the field of usability and security―also known as HCI-Sec―can use to create secure and usable anti-phishing applications.

Phishing attacks against home computer users are on the rise as more people use the Internet to complete electronic transactions.

The review is organized into three sections: 1) How phishing attacks are carried out and why they are successful (see Figure 1); 2) Effective user interface design principles that combat phishing; and 3) Learning principles and techniques that can help create a successful anti-phishing solution.

Developing successful solutions depends on clearly understanding current and future threats. To this end, the review examines current phishing techniques and anticipated risks, including why home computer users fall for phishing attacks. For example, for phishing attacks to be successful, they must reach appropriate victims, appear credible, and allow the attacker to disappear undetected. The more educated users are about their informational security, however, the more effective are the associated anti-phishing solutions.

The paper goes on to report on important usability issues with Web browsers and current anti-phishing tools, and proposes design principles intended to improve the transparency and visibility of these tools and applications.

Finally, as the paper looks to the future, it recognizes that most phishing is conducted from multiple countries and that trend is expected to expand throughout the world. Further, it is likely that smaller scale attacks that leverage partial information about fewer victims and result in higher success rates will increase.

Figure 1—Information flow of a typical phishing attack.

References

  • Berghel, H., Carpinter, J., & Jo, J.-Y. (2007). Phish Phactors: Offensive and Defensive Strategies. Advances in Computers, 70, 223-268. Retrieved November 3, 2007, from Web of Science database.
  • Dhamija, R., & Tygar, J. D. (2005a). The Battle Against Phishing: Dynamic Security Skins. Proceedings of the 2005 Symposium on Usable Privacy and Security, USA, 93, 77-88. Retrieved October 29, 2007, from ACM Digital Library.
  • Emigh, A. (2005). Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures.
  • Garfinkel, S. (2005). Design Principles and Patterns for Computer Systems that are Simultaneously Secure and Usable. Doctoral dissertation, Massachusetts Institute of Technology. Retrieved October 23, 2007, from WorldCat index.
  • Jakobsson, M. (2005). Modeling and Preventing Phishing Attacks. Retrieved November 13, 2007, from Indiana University, School of Informatics website.
  • Jakobsson, M. (2007). The Human Factor in Phishing. Retrieved November 21, 2007, from Indiana University, School of Informatics website.
  • Robila, S. A., & Ragucci, J. W. (2006). Don't be a Phish: Steps in User Education. Proceedings of the Eleventh Annual SIGCSE Conference on Innovation and Technology in Computer Science Education, Italy, pp. 237-241. Retrieved November 19, 2007, from ACM Digital Library.
  • Wu, M., Miller, R. C., & Garfinkel, S. L. (2006). Do Security Toolbars Actually Prevent Phishing Attacks? Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Canada, pp. 601-610. Retrieved October 28, 2007, from ACM Digital Library.
  • Wu, M., Miller, R. C., & Little, G. (2006). Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. Proceedings of the Second Symposium on Usable Privacy and Security, USA, pp. 102-113. Retrieved October 28, 2007, from ACM Digital Library.
AIM alumna Melinda Geist

Research Paper Author: Melinda Geist—2008 AIM Graduate, Intel Corporation

Abstract: As home computer users increase dependency on the Internet to complete electronic transactions, the need to resolve phishing vulnerabilities in the user interface becomes more urgent (Dhamija & Tygar, 2005a). Selected literature published between 2004 and 2007 is analyzed to provide designers and developers of anti-phishing applications with a set of fundamental user-centered design principles to consider prior to system design and technology solutions selection. The significance of anti-phishing user education is also examined.

Download the entire Capstone research project