UI-Dressing to Detect Phishing

Phishing has been and still is a prevalent attack causing serious damage to numerous ingenuous Internet users every year. Usable security is understood as one required pillar for developing effective protection means in this context. We therefore survey and discuss on available usable security mechanisms against phishing. Our investigations show that existing solutions contain too many obstacles for the users. This experienced ambiguity is further amplified by the vast amount of distinct designs varying amongst vendors, platforms and versions of web browsers even within one class of security warnings. This paper introduces a novel anti-phishing mechanism which relies on the idea that the whole appearance of a web application is dress able according to an individual user´s preferences. The guiding principle behind our proposal is to implant security warnings as an intrinsic part of the application instead of having it placed somewhere in the runtime environment, which is the web browser in this context. One goal is to render the cloning of a website practically infeasible for an attacker by increasing the number of web pages to retrieve and store in order to create an identical copy of that site. The second and more important goal is to raise the attention of the users for an unofficial site due to a wrong appearance which is not in conformance with an actual user´s page dress. A user study based on a developed online banking service supporting our suggested UI-Dressing has been conducted. It reveals that the proposed approach takes the desired effect in empowering users to detect fake sites and thus makes our introduced approach a valuable path to follow up.