research-article

Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking

Authors:

Claudio Marforio,

Ramya Jayaram Masti,

Claudio Soriente,

Kari Kostiainen,

Srdjan CapkunAuthors Info & Claims

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Pages 83 - 92

https://doi.org/10.1145/2994459.2994462

Published: 24 October 2016 Publication History

Abstract

Application phishing attacks are rooted in users inability to distinguish legitimate applications from malicious ones. Previous work has shown that personalized security indicators can help users in detecting application phishing attacks in mobile platforms. A personalized security indicator is a visual secret, shared between the user and a security-sensitive application (e.g., mobile banking). The user sets up the indicator when the application is started for the first time. Later on, the application displays the indicator to authenticate itself to the user. Despite their potential, no previous work has addressed the problem of how to securely setup a personalized security indicator -- a procedure that can itself be the target of phishing attacks. In this paper, we propose a setup scheme for personalized security indicators. Our solution allows a user to identify the legitimate application at the time she sets up the indicator, even in the presence of malicious applications. We implement and evaluate a prototype of the proposed solution for the Android platform. We also provide the results of a small-scale user study aimed at evaluating the usability and security of our solution.

References

[1]

Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., and Vigna, G. What the app is that? deception and countermeasures in the android user interface. In IEEE Symposium on Security and Privacy (SP) (2015).

Digital Library

[2]

Chen, T.-C., Dick, S., and Miller, J. Detecting visually similar web pages: Application to phishing detection. ACM Transactions on Internet Technologies (TOIT) (2010).

Digital Library

[3]

Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. Analyzing inter-application communication in android. In International Conference on Mobile Systems, Applications, and Services (MobiSys) (2011).

Digital Library

[4]

Dhamija, R., and Tygar, J. D. The battle against phishing: Dynamic security skins. In Symposium on Usable Privacy and Security (SOUPS) (2005).

Digital Library

[5]

Dhamija, R., Tygar, J. D., and Hearst, M. Why phishing works. In Conference on Human Factors in Computing Systems (CHI) (2006).

Digital Library

[6]

ESET. Android Trojan Targets Customers of 20 Major Banks. http://www.eset.com/int/about/press/articles/malware/article/android-trojan-targets-customers-of-20-major-banks/, 2016.

[7]

Felt, A. P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. A survey of mobile malware in the wild. In Workshop on security and privacy in smartphones and mobile devices (SPSM) (2011).

Digital Library

[8]

Felt, A. P., and Wagner, D. Phishing on mobile devices. In Web 2.0 Security and Privacy Workshop (W2SP) (2011).

[9]

FireEye. An evolving Android trojan family targeting users of worldwide banking apps, 2015. https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html.

[10]

FireEye. The latest android overlay malware spreading via sms phishing in europe, 2016. https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malware-spreading-in-europe.html.

[11]

Gligor, V. D., Burch, E. L., Chandersekaran, C. S., Chapman, R. S., Dotterer, L. J., Hecht, M. S., Jiang, W.-D., Luckenbaugh, G. L., and Vasudevan, N. On the design and the implementation of secure xenix workstations. In IEEE Symposium on Security and Privacy (SP) (1986).

[12]

Herzberg, A., and Margulies, R. My authentication album: Adaptive images-based login mechanism. In Information Security and Privacy Research (2012).

[13]

Hong, J. The state of phishing attacks. Communications of the ACM (2012).

Digital Library

[14]

Jablon, D. The SPEKE Password-Based Key Agreement Methods, 2003. IETF Internet Draft.

[15]

Lever, C., Antonakakis, M., Reaves, B., Traynor, P., and Lee, W. The core of the matter: Analyzing malicious traffic in cellular carriers. In Network and Distributed System Security (NDSS) (2013).

[16]

Libonati, A., McCune, J. M., and Reiter, M. K. Usability testing a malware-resistant input mechanism. In Network and Distributed System Security (NDSS) (2011).

[17]

MacKenzie, P. On the security of the speke password-authenticated key exchange protocol. In In IACR ePrint archive (2001).

[18]

Malisa, L. Detecting mobile application spoofing attacks by leveraging user visual similarity perception, 2015. Cryptology ePrint Archive: Report 2015/709.

[19]

Marforio, C., Masti, R., Soriente, C., Kostiainen, K., and Capkun, S. Evaluation of personalized security indicators as an anti-phishing mechanism for smartphone applications. In Conference on Human Factors in Computing Systems (CHI) (2016).

Digital Library

[20]

Maurer, M.-E., and Hofer, L. Sophisticated Phishers Make More Spelling Mistakes: Using URL Similarity against Phishing. In International Conference on Cyberspace Safety and Security (CSS) (2012).

Digital Library

[21]

McAfee. Phishing Attack Replaces Android Banking Apps With Malware, 2013. https://blogs.mcafee.com/mcafee-labs/phishing-attack-replaces-android-banking-apps-with-malware.

[22]

McCune, J. M., Perrig, A., and Reiter, M. K. Safe passage for passwords and other sensitive data. In Network and Distributed System Security (NDSS) (2009).

[23]

Niu, Y., Hsu, F., and Chen, H. iPhish: Phishing Vulnerabilities on Consumer Electronics. In Conference on Usability, Psychology, and Security (UPSEC) (2008).

Digital Library

[24]

Parno, B., Kuo, C., and Perrig, A. Phoolproof phishing prevention. In Financial Cryptography and Data Security (2006).

Digital Library

[25]

Ryan, P. Y., and Teague, V. Pretty good democracy. In International Workshop on Security Protocols (2009).

[26]

Rydstedt, G., Gourdin, B., Bursztein, E., and Boneh, D. Framing attacks on smart phones and dumb routers: Tap-jacking and geo-localization attacks. In Workshop on Offensive Technologies (WOOT) (2010).

Digital Library

[27]

Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators. In IEEE Symposium on Security and Privacy (SP) (2007).

Digital Library

[28]

Selhorst, M., St�ble, C., Feldmann, F., and Gnaida, U. Towards a trusted mobile desktop. In International Conference on Trust and Trustworthy Computing (TRUST) (2010).

Digital Library

[29]

Symantec. Android banking Trojan delivers customized phishing pages straight from the cloud, 2015. http://www.symantec.com/connect/blogs/android-banking-trojan-delivers-customized-phishing-pages-straight-cloud.

[30]

Truong, H. T. T., Lagerspetz, E., Nurmi, P., Oliner, A. J., Tarkoma, S., Asokan, N., and Bhattacharya, S. The company you keep: Mobile malware infection rates and inexpensive risk indicators. In International Conference on World Wide Web (WWW) (2014).

Digital Library

[31]

Tygar, J. D., and Whitten, A. Www electronic commerce and java trojan horses. In Workshop on Electronic Commerce (WOEC) (1996).

Digital Library

[32]

WeLiveSecurity. Android banking trojan masquerades as Flash Player and bypasses 2FA, 2016. http://www.welivesecurity.com/2016/03/09/android-trojan-targets-online-banking-users/.

[33]

Wu, M., Miller, R. C., and Little, G. Web wallet: Preventing phishing attacks by revealing user intentions. In Symposium on Usable Privacy and Security (SOUPS) (2006).

Digital Library

[34]

Xu, Z., and Zhu, S. Abusing notification services on smartphones for phishing and spamming. In Workshop on Offensive Technologies (WOOT) (2012).

Digital Library

[35]

Zhang, Y., Hong, J. I., and Cranor, L. F. Cantina: A content-based approach to detecting phishing web sites. In International Conference on World Wide Web (2007).

Digital Library

[36]

Zhou, Y., and Jiang, X. Dissecting android malware: Characterization and evolution. In IEEE Symposium on Security and Privacy (SP) (2012).

Digital Library

Cited By

M. K. AAithal P(2024)ABCD Analysis of Voice Biometric System in BankingInternational Journal of Management, Technology, and Social Sciences10.47992/IJMTS.2581.6012.0342(1-17)Online publication date: 13-Apr-2024
https://doi.org/10.47992/IJMTS.2581.6012.0342
Stojković-Numanović KMerdović BŽivaljević D(2023)Forging payment cards and cybercrimePravo - teorija i praksa10.5937/ptp2304138S40:4(138-154)Online publication date: 2023
https://doi.org/10.5937/ptp2304138S
Wells AUsman A(2023)Security and Performance of Knowledge-Based User Authentication for Smart DevicesInformation Security and Privacy in Smart Devices10.4018/978-1-6684-5991-1.ch002(41-70)Online publication date: 31-Mar-2023
https://doi.org/10.4018/978-1-6684-5991-1.ch002
Show More Cited By

Index Terms

Hardened Setup of Personalized Security Indicators to Counter Phishing Attacks in Mobile Banking
1. Security and privacy

Recommendations

Phishing Attacks on Modern Android
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Modern versions of Android have introduced a number of features in the name of convenience. This paper shows how two of these features, mobile password managers and Instant Apps, can be abused to make phishing attacks that are significantly more ...
Defending against phishing attacks: taxonomy of methods, current issues and future directions

Internet technology is so pervasive today, for example, from online social networking to online banking, it has made people's lives more comfortable. Due the growth of Internet technology, security threats to systems and networks are relentlessly ...
Circumventing security toolbars and phishing filters via rogue wireless access points

One of the solutions that has been widely used by naive users to protect against phishing attacks is security toolbars or phishing filters in web browsers. The present study proposes a new attack to bypass security toolbars and phishing filters via ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

October 2016

130 pages

ISBN:9781450345644

DOI:10.1145/2994459

Program Chairs:
Long Lu
Stony Brook University
,
Mohammad Mannan
Concordia University

Copyright � 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24, 2016

Vienna, Austria

Acceptance Rates

SPSM '16 Paper Acceptance Rate 13 of 31 submissions, 42%;

Overall Acceptance Rate 46 of 139 submissions, 33%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
547
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 19 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

M. K. AAithal P(2024)ABCD Analysis of Voice Biometric System in BankingInternational Journal of Management, Technology, and Social Sciences10.47992/IJMTS.2581.6012.0342(1-17)Online publication date: 13-Apr-2024
https://doi.org/10.47992/IJMTS.2581.6012.0342
Stojković-Numanović KMerdović BŽivaljević D(2023)Forging payment cards and cybercrimePravo - teorija i praksa10.5937/ptp2304138S40:4(138-154)Online publication date: 2023
https://doi.org/10.5937/ptp2304138S
Wells AUsman A(2023)Security and Performance of Knowledge-Based User Authentication for Smart DevicesInformation Security and Privacy in Smart Devices10.4018/978-1-6684-5991-1.ch002(41-70)Online publication date: 31-Mar-2023
https://doi.org/10.4018/978-1-6684-5991-1.ch002
Choo ENabeel MAlsabah MKhalil IYu TWang W(2022)DeviceWatch: A Data-Driven Network Analysis Approach to Identifying Compromised Mobile Devices with Graph-InferenceACM Transactions on Privacy and Security10.1145/355876726:1(1-32)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3558767
Sur C(2020)GenAtSeq GAN with Heuristic Reforms for Knowledge Centric Network with Browsing Characteristics Learning, Individual Tracking and Malware Detection with Website2VecSN Computer Science10.1007/s42979-020-00234-81:4Online publication date: 8-Jul-2020
https://doi.org/10.1007/s42979-020-00234-8
Chen SFan LChen CXue MLiu YXu L(2019)GUI-Squatting Attack: Automated Generation of Android Phishing AppsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2019.2956035(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2019.2956035
Shahriar HZhang CDunn SBronte RSahlan ATarmissi K(2019)Mobile anti-phishing: Approaches and challengesInformation Security Journal: A Global Perspective10.1080/19393555.2019.169129328:6(178-193)Online publication date: 12-Nov-2019
https://doi.org/10.1080/19393555.2019.1691293
Wapet LTchana ATran GHagimont D(2019)Preventing the propagation of a new kind of illegitimate appsFuture Generation Computer Systems10.1016/j.future.2018.11.05194(368-380)Online publication date: May-2019
https://doi.org/10.1016/j.future.2018.11.051
Khalid JJalil RKhalid MMaryam MShafique MRasheed W(2019)Anti-phishing Models for Mobile Application Development: A Review PaperIntelligent Technologies and Applications10.1007/978-981-13-6052-7_15(168-181)Online publication date: 12-Mar-2019
https://doi.org/10.1007/978-981-13-6052-7_15
Li WLuo SSun ZXia YLu LChen HZang BGuan H(2018)VButtonProceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3210240.3210330(28-40)Online publication date: 10-Jun-2018
https://dl.acm.org/doi/10.1145/3210240.3210330
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents