Personalized Security Indicators to Detect Application Phishing Attacks in Mobile Platforms

TL;DR

This paper demonstrates that personalized security indicators can effectively help users detect mobile application phishing attacks, challenging previous beliefs about their ineffectiveness, supported by a large user study and a new setup protocol.

Contribution

It provides empirical evidence that personalized security indicators improve phishing detection in mobile apps and introduces a novel, secure setup protocol for these indicators.

Findings

Significant increase in phishing detection with personalized indicators

Users without indicators failed to detect phishing attacks

Proposed setup protocol enhances security and usability

Abstract

Phishing in mobile applications is a relevant threat with successful attacks reported in the wild. In such attacks, malicious mobile applications masquerade as legitimate ones to steal user credentials. In this paper we categorize application phishing attacks in mobile platforms and possible countermeasures. We show that personalized security indicators can help users to detect phishing attacks and have very little deployment cost. Personalized security indicators, however, rely on the user alertness to detect phishing attacks. Previous work in the context of website phishing has shown that users tend to ignore the absence of security indicators and fall victim of the attacker. Consequently, the research community has deemed personalized security indicators as an ineffective phishing detection mechanism. We evaluate personalized security indicators as a phishing detection solution in the context of mobile applications. We conducted a large-scale user study where a significant amount of participants that used personalized security indicators were able to detect phishing. All participants that did not use indicators could not detect the attack and entered their credentials to a phishing application. We found the difference in the attack detection ratio to be statistically significant. Personalized security indicators can, therefore, help phishing detection in mobile applications and their reputation as an anti-phishing mechanism should be reconsidered. We also propose a novel protocol to setup personalized security indicators under a strong adversarial model and provide details on its performance and usability.