User experiences of TORPEDO: TOoltip-poweRed Phishing Email DetectiOn

We propose a concept called TORPEDO to improve phish detection by providing just-in-time and just-in-place trustworthy tooltips. These help people to identify phish links embedded in emails. TORPEDO's tooltips contain the actual URL with the domain highlighted. Link activation is delayed for a short period, giving the person time to inspect the URL before they click on a link. Furthermore, TORPEDO provides an information diagram to explain phish detection. We evaluated TORPEDO's effectiveness, as compared to the worst case “status bar” as provided by other Web email interfaces. People using TORPEDO performed significantly better in detecting phishes and identifying legitimate emails (85.17% versus 43.31% correct answers for phish). We then carried out a field study with a number of TORPEDO users to explore actual user experiences of TORPEDO. We conclude the paper by reporting on the outcome of this field study and suggest improvements based on the feedback from the field study participants

Über die Wirksamkeit von Anti-Phishing-Training

Phishing ist noch immer ein verbreitetes Problem im Internet. Konsequenzen von Phishing können sowohl finanzieller als auch persönlicher Natur sein. Phishingangriffe werden ausgefeilter und sind nicht mehr einfach anhand fehlerhafter Rechtschreibung oder Grammatik zu identifizieren. Somit ist es für Internetnutzer wichtig den Aufbau von URLs zu verstehen um sich gegen Phishingangriffe schutzen zu können. Das von uns entwickelte „NoPhish“ Training basiert auf der Idee Nutzern sowohl die notwendige Awareness als auch die notwendigen Fähigkeiten zur Identifikation von Phishingangriffen zu vermitteln. Wir haben NoPhish mit einer Nutzerstudie empirisch evaluiert und können eine signifikante Verbesserung der Teilnehmer in diesen Bereichen zeigen.&nbsp

Entwicklung eines Interfaces zur privacy-friendly Cookie-Einstellung

Bisherige Interfaces der Cookie-Einstellungen sind unzureichend um dem Nutzer eine informierte Entscheidung zu ermöglichen. Ziel der Studie war es ein neues Konfigurationsinterface zu entwickeln, welches die Nutzer über die Wirkweisen von verschiedenen Cookies aufklärt und die Möglichkeiten einer Einstellungs-Änderung bietet. Bestehende Meldungen wurden mit Fokusgruppen weiterentwickelt und das finale Interface in einer Online-Studie mit 37 Teilnehmern evaluiert. Es wurden für das Interface 3 Einstellungs-Optionen herausgearbeitet, die unterschiedliche Kompromisse zwischen kurz- und langfristigem Schutz sowie möglichen Funktionalitätseinschränkungen darstellen. Die Auswertung zeigte, dass über 75% der Teilnehmer die Einstellungen hinzu einem langfristigen Schutz ändern würde. Ein Großteil derer, die sich gegen einen langfristigen Schutz entschieden, haben dies bewusst getan, um ihren Komfort nicht einschränken zu müssen

Home Sweet Home? Investigating Users’ Awareness of Smart Home Privacy Threats

Albeit providing many benefits, smart homes collect and process large amounts of sensitive data. In order to successfully cope with the resulting risks for their privacy, users have to be aware of potential privacy threats and consequences in the first place. Since research in other contexts has shown that users often lack this awareness even when it comes to well-known technologies, e.g., Online Social Networks (OSN), it is crucial to investigate users\u27 awareness of threats related to the use of unfamiliar technologies like smart homes. To this end, we conducted a survey study with 1052 lay users. By prompting participants to state all consequences that could potentially result from using smart home and smart health devices as well as OSN, we find that most participants were unable to state a single privacy consequence. Instead, most referred to general privacy issues (e.g., profiling, data collection) or threats related to non-privacy topics, such as security problems resulting from defect smart home devices. Since our participants were least aware of potential privacy consequences resulting from the use of smart home devices, further effort is necessary to inform lay users about possible privacy threats, e.g., by launching public campaigns or conducting trainings and interventions directly implemented in the UIs of smart home systems

Investigating People’s Privacy Risk Perception

Although media reports often warn about risks associated with using privacy-threatening technologies , most lay users lack awareness of particular adverse consequences that could result from this usage. Since this might lead them to underestimate the risks of data collection, we investigate how lay users perceive different abstract and specific privacy risks. To this end, we conducted a survey with 942 participants in which we asked them to rate nine different privacy risk scenarios in terms of probability and severity. The survey included abstract risk scenarios as well as specific risk scenarios, which describe specifically how collected data can be abused, e.g., to stalk someone or to plan burglaries. To gain broad insights into people\u27s risk perception, we considered three use cases: Online Social Networks (OSN), smart home, and smart health devices. Our results suggest that abstract and specific risk scenarios are perceived differently, with abstract risk scenarios being evaluated as likely, but only moderately severe, whereas specific risk scenarios are considered to be rather severe, but only moderately likely. People, thus, do not seem to be aware of specific privacy risks when confronted with an abstract risk scenario. Hence, privacy researchers or activists should make people aware of what collected and analyzed data can be used for when abused (by the service or even an unauthorized third party)

Encouraging Privacy-Aware Smartphone App Installation: Finding out what the Technically-Adept Do

Smartphone apps can harvest very personal details from the phone with ease. This is a particular privacy concern. Unthinking installation of untrustworthy apps constitutes risky behaviour. This could be due to poor awareness or a lack of knowhow: knowledge of how to go about protecting privacy. It seems that Smartphone owners proceed with installation, ignoring any misgivings they might have, and thereby irretrievably sacrifice their privacy

NoPhish App Evaluation: Lab and Retention Study

Phishing is a prevalent issue of today’s Internet. Previous approaches to counter phishing do not draw on a crucial factor to combat the threat - the users themselves. We believe user education about the dangers of the Internet is a further key strategy to combat phishing. For this reason, we developed an Android app, a game called –NoPhish–, which educates the user in the detection of phishing URLs. It is crucial to evaluate NoPhish with respect to its effectiveness and the users’ knowledge retention. Therefore, we conducted a lab study as well as a retention study (five months later). The outcomes of the studies show that NoPhish helps users make better decisions with regard to the legitimacy of URLs immediately after playing NoPhish as well as after some time has passed. The focus of this paper is on the description and the evaluation of both studies. This includes findings regarding those types of URLs that are most difficult to decide on as well as ideas to further improve NoPhish.&nbsp

Encouraging Privacy-Aware Smartphone App Installation: What Would the Technically-Adept Do

Smartphone apps can harvest very personal details from the phone with ease. This is a particular privacy concern. Unthinking installation of untrustworthy apps constitutes risky behaviour. This could be due to poor awareness or a lack of knowhow: knowledge of how to go about protecting privacy. It seems that Smartphone owners proceed with installation, ignoring any misgivings they might have, and thereby irretrievably sacrifice their privacy

I (don\u27t) see what you typed there! Shoulder-surfing resistant password entry on gamepads

Using gamepad-driven devices like games consoles is an activity frequently shared with others. Thus, shoulder-surfing is a serious threat. To address this threat, we present the first investigation of shoulder-surfing resistant text password entry on gamepads by (1) identifying the requirements of this context; (2) assessing whether shoulder-surfing resistant authentication schemes proposed in non-gamepad contexts can be viably adapted to meet these requirements; (3) proposing ``Colorwheels\u27\u27, a novel shoulder-surfing resistant authentication scheme specifically geared towards this context; (4) using two different methodologies proposed in the literature for evaluating shoulder-surfing resistance to compare ``Colorwheels\u27\u27, on-screen keyboards (the de facto standard in this context), and an existing shoulder-surfing resistant scheme which we identified during our assessment and adapted for the gamepad context; (5) evaluating all three schemes regarding their usability. Having applied different methodologies to measure shoulder-surfing resistance, we discuss their strengths and pitfalls and derive recommendations for future research