research-article

A usability test of whitelist and blacklist-based anti-phishing application

Authors:

Marko Helenius,

Eleni BerkiAuthors Info & Claims

MindTrek '12: Proceeding of the 16th International Academic MindTrek Conference

Pages 195 - 202

https://doi.org/10.1145/2393132.2393170

Published: 03 October 2012 Publication History

Abstract

Anti-phishing tools on a web browser warn about spoofing pages or/and prompt to essential and necessary information that assists users to identify spoofing and potentially harmful pages. In order to discover how well users can identify phishing pages with these tools after they understand how the tools work, we designed and conducted usability tests for two detection mechanisms of anti-phishing tools: the blacklist-based and whitelist-based anti-phishing toolbars. As a result, we report that no significant performance differences between the blacklist-based and whitelist-based applications were found; but some other interesting findings and observations were collected. The most valuable observation is that due to the deficiency of existing web identities on the web pages and web browsers, e.g. abstract and professional web page security certificate information, anti-phishing toolbars need to be more illustrative and instructional in order to assist users to find reliable information for identifying the authenticity of the content on the web pages.

References

[1]

Anti-Phishing Working Group (APWG) 2011, In Phishing Attack Trends Report http://www.apwg.org/reports/apwg_report_h2_2010.pdf. Retrieved in December 2011

[2]

Wu, M., Miller, R. C., and Garfinkel, S. L. 2006. Do Security Toolbars Actually Prevent Phishing Attacks? In Proceedings of the SIGCHI conference on Human Factors in computing systems, Montréal, Canada, 601--610.

Digital Library

[3]

Hong J., 2012. The State of Phishing Attacks. Communications of The ACM, 55(1), January, 2012. 74--81

Digital Library

[4]

Jakobsson, M., and Ratkiewicz, J. 2006. Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features. In Proceedings of the 15th annual World Wide Web Conference, 513--522.

Digital Library

[5]

Litan, A. 2004. Phishing attack victims likely targets for identity theft. FT-22-8873, Gartner Research.

[6]

Dhamija R., Tygar J. D., and Hearst M. 2006. Why phishing works, SecurityFocus Universities study, http://people.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf. Retrieved in April 2006

[7]

Blythe M., Petrie H., Clark J. A. 2011, F for fake: four studies on how we fall for phish. In Proceedings of the 2011 annual conference on Human factors in computing systems (CHI '11). ACM, New York, NY, USA, 3469--3478

Digital Library

[8]

Zhang, Y., Egelman, S., Cranor, L., and Hong, J. 2007. Phinding Phish: Evaluating Anti-Phishing Tools. In Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007), San Diego, CA, 28 February -2 March, 2007, 79--92.

[9]

Egelman, S., Cranor, F. L., and Hong, J. 2008. You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings, In the Proceeding of the twenty-sixth annual SIGCHI conference on Human factors in computing systems, Florence, Italy, April 2008, 1065--1074.

Digital Library

[10]

Luca A. D., Frauendienst B., Maurer M., Seifert J., Hausen D., Kammerer N., Hussmann H,. 2011. Does MoodyBoard make internet use more secure?: evaluating an ambient security visualization tool. In Proceedings of the 2011 annual conference on Human factors in computing systems (CHI '11). ACM, New York, NY, USA, 887--890

Digital Library

[11]

Lin E., Greenberg S., Trotter E., Ma D., Aycock J. 2011, x Does domain highlighting help people identify phishing sites? In Proceedings of the 2011 annual conference on Human factors in computing systems (CHI '11). ACM, New York, NY, USA, 2075--2084

Digital Library

[12]

Villamarín-Salomón R. M., Brustoloni J. C., 2010. Using reinforcement to strengthen users' secure behaviors. In Proceedings of the 28th international conference on Human factors in computing systems (CHI '10). ACM, New York, NY, USA, 363--37

Digital Library

[13]

Sheng S., Holbrook M., Kumaraguru P., Cranor L. F., Downs J., 2010. Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions. In Proceedings of the 28th international conference on Human factors in computing systems (CHI '10). ACM, New York, NY, USA, 373--382

Digital Library

[14]

Li, L. and Helenius, M. 2007. Usability Evaluation of Anti-phishing Toolbars. Jounal of Computer Virology 3, 163--184.

[15]

Google Safe Browsing 2007. http://www.google.com/tools/firefox/toolbar/FT3/intl/en. Retrieved in April 2006

[16]

Wu, M., Miller, R. C., and Little, G. 2006. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In Proceedings of the second symposium on Usable privacy and security, Pittsburgh, USA, 102--133.

Digital Library

[17]

Phish Tank 2011. http://www.phishtank.com. Retrieved in November 2011

[18]

Google Safe Browsing 2007. Tutorials for Google Safe Browsing, http://www.cs.uta.fi/%7Ell79452/Tutorials-GSB.doc

[19]

Google Safe Browsing 2007. Google Toolbar for Firefox Help Center http://www.google.com/support/firefox/bin/static.py?page=features.html&v=3. Retrieved in April 2006

[20]

Phishing Protection 2007. Firefox phishing protection, http://www.mozilla.com/en-US/firefox/phishing-protection/. Retrieved in April 2007

[21]

Microsoft 2006. How to shop online more safely, http://www.microsoft.com/protect/yourself/finances/shopping_us.mspx. Retrieved in Febrary 2007

[22]

Bevan N., Barnum C., Cockton G., Nielsen J., Spool J., Wixon D. 2003, The "magic number 5": is it enough for web testing?, CHI '03 extended abstracts on Human factors in computing systems, 698--699

Digital Library

[23]

Faulkner L. 2003. Beyond the five-user assumption: Benefits of increased sample sizes in usability testing. Behavior Research Methods, 35, 3, 379--383

[24]

Lindgaard G., Chattratichart J. 2007. Usability testing: what have we overlooked? CHIConference on Human Factors in Computing Systems, 1415--1424.

Digital Library

Cited By

Franz AZimmermann VAlbrecht GHartwig KReuter CBenlian AVogt JChiasson S(2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563590
Spiekermann D(2020)FAPProceedings of the 2020 European Interdisciplinary Cybersecurity Conference10.1145/3424954.3424961(1-6)Online publication date: 18-Nov-2020
https://dl.acm.org/doi/10.1145/3424954.3424961
Li LBerki EHelenius MOvaska S(2014)Towards a contingency approach with whitelist-and blacklist-based anti-phishing applicationsBehaviour & Information Technology10.1080/0144929X.2013.87522133:11(1136-1147)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1080/0144929X.2013.875221

Index Terms

A usability test of whitelist and blacklist-based anti-phishing application

Recommendations

How Experts Detect Phishing Scam Emails
CSCW

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...
Classification of Anti-phishing Solutions
Abstract
Phishing is an online fraud through which phisher gains unauthorized access to the user system to lure the personal credentials (such as username, password, credit/debit card number, validity, CVV number, and pin) for financial gain. Phishing can ...
Anti-phishing: A comprehensive perspective
Abstract
Phishing is a form of deception technique that attackers often use to acquire sensitive information related to individuals and organizations fraudulently. Although Phishing attacks have been known for more than two decades, and there is ongoing ...
Highlights
- Classification and discussion of various phishing attacks, motives, and their types.
- The role of social and cognitive factors in the success of a phishing attack.
- A comprehensive survey of various phishing detection and prevention ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

MindTrek '12: Proceeding of the 16th International Academic MindTrek Conference

October 2012

278 pages

ISBN:9781450316378

DOI:10.1145/2393132

Conference Chair:
Artur Lugmayr
Tampere University of Technology, Finland

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

AcademicMindTrek '12

AcademicMindTrek '12: International Conference on Media of the Future

October 3 - 5, 2012

Tampere, Finland

Acceptance Rates

MindTrek '12 Paper Acceptance Rate 19 of 43 submissions, 44%;

Overall Acceptance Rate 110 of 207 submissions, 53%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
609
Total Downloads

Downloads (Last 12 months)23
Downloads (Last 6 weeks)0

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Franz AZimmermann VAlbrecht GHartwig KReuter CBenlian AVogt JChiasson S(2021)SoKProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563590(339-357)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563590
Spiekermann D(2020)FAPProceedings of the 2020 European Interdisciplinary Cybersecurity Conference10.1145/3424954.3424961(1-6)Online publication date: 18-Nov-2020
https://dl.acm.org/doi/10.1145/3424954.3424961
Li LBerki EHelenius MOvaska S(2014)Towards a contingency approach with whitelist-and blacklist-based anti-phishing applicationsBehaviour & Information Technology10.1080/0144929X.2013.87522133:11(1136-1147)Online publication date: 1-Nov-2014
https://dl.acm.org/doi/10.1080/0144929X.2013.875221

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten