This document summarizes a study that tested how susceptible users are to entering their passwords into fake password dialog boxes created by attackers. Researchers created fake password dialogs mimicking Windows and Mac operating systems and found that 15-35% of participants entered their real passwords. While some users detected the spoofing, many were either oblivious or compromised. The researchers conclude that users have difficulty determining whether information comes from the actual OS or an attacker. Future work should focus on designing security dialogs that better capture users' attention.

1. CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Operating system framed in
case of mistaken identity
Measuring the success of web-based spoofing
attacks on OS password-entry dialogs
Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Manya
Sleeper (Carnegie Mellon University)
Stuart Schechter (Microsoft Research)

2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
22
Motivation
 Users have to make security decisions too often
 Decisions are usually based on:
• Information presented on-the-fly by different principals (OS,
browser, etc.)
• Beliefs, knowledge, hunches...
 Many decisions are triggered by security dialogs

3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
33
Trusted path problem
 How do users know that information presented by the OS
really comes from the OS?
 Would users be able to spot fake dialogs asking for a
password?

4. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
44
Possible consequences
 Install or run malicious software (e.g., fake AV software)
 Ignore security warnings
 Turn OS security features off
 Reveal secrets that should only be shared with OS
(passwords)

5. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
55
Windows has two defenses
 Ctrl-Alt-Del before entering
password
• “Don't enter your password
without hitting Ctrl-Alt-Del”
 Trusted desktop:
• Dimming screen outside of UAC
dialog
• “Enter your password without
Ctrl-Alt-Del only if screen dims”

6. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
66
Research question
What proportion of users would enter their
passwords in a spoofed OS window?

7. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
77
Experimental design
“Give us your opinion
about online games”
“Is the password
you entered real?”
“May we keep it
for research?”

8. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1010
1010

9. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1212
1212

10. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1414
1414

11. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1616
1616

12. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1717
1717

13. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1818
1818

14. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1919
1919

15. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2020
2020

16. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2121
2121

17. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2222
2222

18. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2323
2323

19. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2424
2424

20. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2525
2525

21. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2626
2626

22. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2727
2727

23. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2828
2828

24. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2929
2929

25. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3030
3030

26. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3131
3131

27. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3232
3232

28. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3535
3535

29. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3636
3636

30. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3838
3838

31. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3939
3939

32. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4040
4040

33. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4242
Conditions
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled

34. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4343
Challenges in learning what really happened
 How can we know which participants entered real
passwords?
• If deceived, participants may be/feel (deeply) harmed
• Participants may not want to admit being deceived
• We cannot ethically/legally verify that we’ve tricked them
without their consent
 How can we know which participants detected spoofing?
• People don't like admitting that they were fooled

35. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4444
How do we determine if a participant knew that
the window was spoofed?

36. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4646
Results

37. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4747
Participants' demographics
 504 US-only participants across 11 conditions:
• 28 years old (σ=9.6 years)
• 55% males, 78% caucasian
• Top two reported occupations: 33% students, 13% unemployed
• 17 min 23 sec to complete study (σ=18 min 15 sec)
 199 US-only participants in follow-up experiment:
• 29 years old (σ=9.7 years)
• 53% males, 77% caucasian
• Top two reported occupations: 28% students, 16% unemployed
• 19 min 57 sec to complete study (σ=8 min 26 sec)

38. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4848
We categorize participants into three groups

39. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4949
Who was wise to the attack?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
27%
29%
34%
40%
29%
19%
29%
57%

40. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5050
Who was oblivious?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
40%
37%
45%
45%
43%
42%
65%
39%

41. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5151
Who was compromised?
UAC CredUI Mac OS w/
install Mac OS w/o install
Cancel
enabled
Cancel
disabled
27%
35%
21%
15%
8% 6%
4%8%

42. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5252
Follow-up for UAC, cancel-enabled
[15.0% – 26.2%]
[25.2% – 38.2%]
[40.8% – 54.6%]

43. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5353
Limitations of deception
 In both cases: dialog embedded in browser
 In Windows: no screen dim-out
 In Mac OS: no username filled-in, simplified installation
sequence
 Despite these differences, we still had participants who entered
their credentials:
• At least 15% in Windows 7/Vista across IE9, Chrome, and Firefox
• ~ 6% in Mac OS across Safari, Chrome and Firefox
• 5% fake AV attacks [Cova et al. 2010, 2012]

44. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5454
Conclusions and future work
 A large number of users are not able to discriminate whether
information comes from the OS or a malicious attacker
 Problem may be worsened by:
• Habituation to dialogs
• Lack of attention, not knowing what to look for/where to look
 Future work:
• Design and test new ways to drive users' attention to critical
information in the security dialog
• Determine how quickly habituation occurs, and ways to avoid it

45. CMU Usable Privacy and Security
Laboratory
http://cups.cs.cmu.edu/