This document summarizes a study that tested how susceptible users are to entering their passwords into fake password dialog boxes created by attackers. Researchers created fake password dialogs mimicking Windows and Mac operating systems and found that 15-35% of participants entered their real passwords. While some users detected the spoofing, many were either oblivious or compromised. The researchers conclude that users have difficulty determining whether information comes from the actual OS or an attacker. Future work should focus on designing security dialogs that better capture users' attention.
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Operating system framed in case of mistaken identity
1. CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Operating system framed in
case of mistaken identity
Measuring the success of web-based spoofing
attacks on OS password-entry dialogs
Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Manya
Sleeper (Carnegie Mellon University)
Stuart Schechter (Microsoft Research)
2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
22
Motivation
Users have to make security decisions too often
Decisions are usually based on:
• Information presented on-the-fly by different principals (OS,
browser, etc.)
• Beliefs, knowledge, hunches...
Many decisions are triggered by security dialogs
3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
33
Trusted path problem
How do users know that information presented by the OS
really comes from the OS?
Would users be able to spot fake dialogs asking for a
password?
4. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
44
Possible consequences
Install or run malicious software (e.g., fake AV software)
Ignore security warnings
Turn OS security features off
Reveal secrets that should only be shared with OS
(passwords)
5. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
55
Windows has two defenses
Ctrl-Alt-Del before entering
password
• “Don't enter your password
without hitting Ctrl-Alt-Del”
Trusted desktop:
• Dimming screen outside of UAC
dialog
• “Enter your password without
Ctrl-Alt-Del only if screen dims”
6. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
66
Research question
What proportion of users would enter their
passwords in a spoofed OS window?
7. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
77
Experimental design
“Give us your opinion
about online games”
“Is the password
you entered real?”
“May we keep it
for research?”
33. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4242
Conditions
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
34. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4343
Challenges in learning what really happened
How can we know which participants entered real
passwords?
• If deceived, participants may be/feel (deeply) harmed
• Participants may not want to admit being deceived
• We cannot ethically/legally verify that we’ve tricked them
without their consent
How can we know which participants detected spoofing?
• People don't like admitting that they were fooled
35. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4444
How do we determine if a participant knew that
the window was spoofed?
37. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4747
Participants' demographics
504 US-only participants across 11 conditions:
• 28 years old (σ=9.6 years)
• 55% males, 78% caucasian
• Top two reported occupations: 33% students, 13% unemployed
• 17 min 23 sec to complete study (σ=18 min 15 sec)
199 US-only participants in follow-up experiment:
• 29 years old (σ=9.7 years)
• 53% males, 77% caucasian
• Top two reported occupations: 28% students, 16% unemployed
• 19 min 57 sec to complete study (σ=8 min 26 sec)
38. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4848
We categorize participants into three groups
39. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4949
Who was wise to the attack?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
27%
29%
34%
40%
29%
19%
29%
57%
40. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5050
Who was oblivious?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
40%
37%
45%
45%
43%
42%
65%
39%
41. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5151
Who was compromised?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
27%
35%
21%
15%
8% 6%
4%8%
43. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5353
Limitations of deception
In both cases: dialog embedded in browser
In Windows: no screen dim-out
In Mac OS: no username filled-in, simplified installation
sequence
Despite these differences, we still had participants who entered
their credentials:
• At least 15% in Windows 7/Vista across IE9, Chrome, and Firefox
• ~ 6% in Mac OS across Safari, Chrome and Firefox
• 5% fake AV attacks [Cova et al. 2010, 2012]
44. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5454
Conclusions and future work
A large number of users are not able to discriminate whether
information comes from the OS or a malicious attacker
Problem may be worsened by:
• Habituation to dialogs
• Lack of attention, not knowing what to look for/where to look
Future work:
• Design and test new ways to drive users' attention to critical
information in the security dialog
• Determine how quickly habituation occurs, and ways to avoid it