Global ETD Search

21	Usability engineering for code-based multi-factor authentication Roy, Graeme Stuart January 2013 (has links) The increase in the use of online banking and other alternative banking channels has led to improved flexibility for customers but also an increase in the amount of fraud across these channels. The industry recommendation for banks and other financial institutions is to use multi-factor customer authentication to reduce the risk of identity theft and fraud for those choosing to use such banking channels. There are few multi-factor authentication solutions available for banks to use that offer a convenient security procedure across all banking channels. The CodeSure card presented in this research is such a device offering a convenient, multi-channel, two-factor code-based security solution based on the ubiquitous Chip-and-PIN bank card. In order for the CodeSure card to find acceptance as a usable security solution, it must be shown to be easy to use and it must also be easy for customers to understand what they are being asked to do, and how they can achieve it. This need for a usability study forms the basis of the research reported here. The CodeSure card is also shown to play a role in combating identity theft. With the growing popularity of online channels, this research also looks at the threat of phishing and malware, and awareness of users about these threats. Many banks have ceased the use of email as a means to communicate with their customers as a result of the phishing threat, and an investigation into using the CodeSure card's reverse (sender) authentication mode is explored as a potential solution in regaining trust in the email channel and reintroducing it as a means for the bank to communicate with its customers. In the 8 experiments presented in this study the CodeSure card was rated acceptably high in terms of mean usability. Overall, the research reported here is offered in support of the thesis that a usable security solution predicated on code-based multi-factor authentication will result in tangible improvements to actual security levels in banking and eCommerce services, and that the CodeSure card as described here can form the basis of such a usable security solution. 364.16
22	Internet phishing hook, line and hopefully not sunk. Munien, Rajan. January 2010 (has links) This study is based on the subject of internet phishing, and the primary goal was to ascertain the level of awareness thereof that exists amongst online users in the Durban area, and to determine if users were able to identify the common characteristics of a phishing attack. Associated research objectives were also to establish whether users were au fait with the concept of internet security, and how the correct implementation of this line of defence can prevent possible further or future attacks. Based on the findings of this research, it is further envisaged that a platform be provided to launch a robust awareness programme to attack the insidious invader, thus avoiding and preventing any intentional havoc from being successfully perpetrated. An online questionnaire, being quantitative in nature and comprising 19 questions, was administered to 500 participants. A two-month data collection period was allotted. The questionnaire was completed by 228 respondents, and one of the prerequisites was that they be located in Durban. The data collected was analysed using the Statistical Package for the Social Sciences (SPSS) software. Although the analysis revealed that the level of awareness on the subject matter is average, the incidents of phishing attacks are clearly increasing. The deduction made is that the methods currently deployed to create awareness are obviously not having the desired effect, proving that this strategy has to be revisited urgently. The findings also demonstrate that internet phishing is everyone‟s responsibility and it is considered prudent for all internet users to make a concerted effort to learn more about the subject. The results concluded that a direct relationship existed between users‟ level of awareness and the efficacy of internet security installed on a computer. Users who were knowledgeable about the subject, and had installed Internet security software, generally did not experience malicious attacks and were less likely to be targeted. The overall findings presented in this study provide the aforementioned platform upon which an awareness campaign can be formulated to reduce the success rate, and the number, of highly probable future phishing attacks on a previously unsuspecting public. / Thesis (MBA)-University of KwaZulu-Natal, Westville, Westville, 2010. Phishing--South Africa. Theses--Business administration.
23	Comparing the relative efficacy of phishing emails / Jämförelse av phishing emails relativa effektivitet Lingaas Türk, Jakob January 2020 (has links) This study aimed to examine if there was a difference in how likely a victim is to click on a phishing email’s links based on the content of the email, the tone and language used and the structure of the code. This likelihood also includes the email’s ability to bypass spam filters. Method: The method used to examine this was a simulated phishing attack. Six different phishing templates were created and sent out via the Gophish framework to target groups of students (from Halmstad University), from a randomized pool of 20.000 users. The phishing emails contained a link to a landing page (hosted via a virtual machine) which tracked user status. The templates were: Covid19 Pre-Attempt, Spotify Friendly CSS, Spotify Friendly Button, Spotify Aggressive CSS, Spotify Aggressive Button, Student Union. Results: Covid19 Pre-Attempt: 72.6% initial spam filter evasion, 45.8% spam filter evasion, 4% emails opened and 100% links clicked. Spotify Friendly CSS: 50% initial spam filter evasion, 38% spam filter evasion, 26.3% emails opened and 0% links clicked. Spotify Friendly Button: 59% initial spam filter evasion, 28.8% spam filter evasion, 5.8% emails opened and 0 %links clicked. Spotify Aggressive CSS: 50% initial spam filter evasion, 38% spam filter evasion, 10.5% emails opened, and 100% links clicked. Spotify Aggressive Button: 16% initial spam filter evasion, 25% spam filter evasion, 0% emails opened and 0% emails clicked. Student Union: 40% initial spam filter evasion, 75% spam filter evasion, 33.3% emails opened and 100% links clicked. Conclusion: Differently structured emails have different capabilities for bypassing spam filters and for deceiving users. Language and tone appears to affect phishing email efficacy; the results suggest that an aggressive and authoritative tone heightens a phishing email’s ability to deceive users, but seems to not affect its ability to bypass spam filters to a similar degree. Authenticity appears to affect email efficacy; the results showed a difference in deception efficacy if an email was structured like that of a genuine sender. Appealing to emotions such as stress and fear appears to increase the phishing email’s efficacy in deceiving a user. / Syftet med denna studie var att undersöka om det fanns en skillnad i hur troligt det är att ett offer klickar på länkarna till ett phishing-e-postmeddelande, baserat på innehållet i e-postmeddelandet, tonen och språket som används och kodens struktur. Denna sannolikhet inkluderar även e-postens förmåga att kringgå skräppostfilter. Metod: Metoden som användes var en simulerad phishing-attack. Sex olika phishing-mallar skapades och skickades ut via Gophish-ramverket till målgruppen bestående av studenter (från Halmstads universitet), från en slumpmässig pool med 20 000 användare. Phishing-e-postmeddelandena innehöll en länk till en målsida (hostad via en virtuell maskin) som spårade användarstatus. Mallarna var: Covid19 Pre-Attempt, Spotify Friendly CSS, Spotify Friendly Button, Spotify Aggressive CSS, Spotify Aggressive Button, Student Union. Resultat: Covid19 förförsök: 72,6% kringgick det primära spamfiltret, 45,8% kringgick det sekundära spamfiltret, 4% e-postmeddelanden öppnade och 100% länkar klickade Spotify Friendly CSS: 50% kringgick det primära spamfiltret, 38% kringgick det sekundära spamfiltret, 26,3% e-postmeddelanden öppnade och 0% länkar klickade. Spotify Friendly Button: 59% kringgick det primära spamfiltret, 28,8% kringgick det sekundära spamfiltret, 5.8% e-postmeddelanden öppnade och 0% länkar klickade. Spotify Aggressive CSS: 50% kringgick det primära spamfiltret, 38% kringgick det sekundära spamfiltret, 10,5% e-post öppnade och 100% länkar klickade. Spotify Aggressive Button: 16% kringgick det primära spamfiltret, 25% kringgick det sekundära spamfiltret, 0% e-postmeddelanden öppnade och 0% e-postmeddelanden klickade. Studentkåren: 40% kringgick det primära spamfiltret, 75% kringgick det sekundära spamfiltret, 33,3% e-postmeddelanden öppnade och 100% länkar klickade. Slutsats: Olika strukturerade e-postmeddelanden har olika funktioner för att kringgå skräppostfilter och för att lura användare. Språk och ton tycks påverka effektiviteten för epost-phishing. Resultaten tyder på att en aggressiv och auktoritär ton ökar phishing-epostmeddelandets förmåga att lura användare, men verkar inte påverka dess förmåga att kringgå skräppostfilter i motsvarande grad. Autenticitet verkar påverka e-postens effektivitet, då resultaten visade en skillnad i effektivitet om ett e-postmeddelande var strukturerat som en äkta avsändare. Att adressera känslor som stress och rädsla verkar öka phishing-e-postens effektivitet när det gäller att lura en användare. Phishing Spam Filter Social engineering ethical hacking spam filter evasion spear phishing Phishing Spam Filter Social engineering ethical hacking spam filter evasion spear phishing Computer Systems Datorsystem
24	En studie om hur väl svenska internetanvändare upptäcker phishing på svenska jämfört med engelska / A study on how well swedish internet users detect phishing in swedish compared to english Pettersson, Rickard January 2020 (has links) Denna studie har undersökt ett relativt outforskat område inom phishing; språkets inverkan på människors mottaglighet för phishing. Syftet med studien var att undersöka hur stor skillnaden är mellan hur bra svenska Internetanvändare kan upptäcka phishing-mejl på svenska jämfört med engelska. För detta ändamål skapades en webbenkät med 32 mejl på både svenska och engelska. De 32 mejlen delades in i fyra lika stora grupper baserat på mejlets typ och språk. Deltagarna blev sedan tillfrågade att kategorisera mejlen som antingen legitima eller phishing. Målgruppen för studien bestod av Internetanvändare mellan 18–81 år med svenska som modersmål. En kvantitativ metod tillämpades på frågeformuläret, varpå statistiska analyser användes för att besvara syftet med studien. Studiens resultat visar en signifikant skillnad (p = 0,039) mellan hur väl svenska Internetanvändare upptäcker phishing på svenska jämfört med engelska. Deltagarna identifierade felaktigt 20 % av de engelska phishing-mejlen och 17 % av de svenska phishing-mejlen som legitima. Resultatet visar svaga indikationer på att svenska Internetanvändare är bättre på att upptäcka phishing på svenska jämfört med engelska. Resultatet i studien visar även starka indikationer på att engelsk språkförmåga och IT-kompetens är betydande faktorer vid identifiering av engelska legitima mejl. Det fanns inga tecken som tyder på att dessa faktorer gjorde deltagarna bättre på att upptäcka engelska phishing-mejl. Däremot tyder resultatet på att deltagarna kan ha nyttjat icke-språkliga ledtrådar till att identifiera de engelska phishing-mejlen. / This study has examined a relatively unexplored area of phishing; the impact of language on people's susceptibility to phishing. The purpose of the study was to investigate how big the difference is between how well Swedish Internet users can detect phishing emails in Swedish compared to English. For this purpose, an online questionnaire was created containing 32 emails in both Swedish and English. The 32 emails were divided into four equally large groups based on the type and language of the email. Participants were then asked to categorize the emails as either legitimate or phishing. The target group of the study consisted of Internet users between the ages of 18 and 81 with Swedish as their native language. A quantitative method was applied to the questionnaire, whereupon statistical analyses were used to answer the purpose of the study. The results of the study show a significant difference (p = 0,039) between how well Swedish Internet users detect phishing in Swedish compared to English. The participants incorrectly identified 20% of the English phishing emails and 17% of the Swedish phishing emails as legitimate. This result shows a weak indication that Swedish internet users are better at detecting phishing in Swedish compared to English. Furthermore, the results strongly indicate that English language skills and IT-competence are important factors when identifying English legitimate emails. There were no signs indicating that those two factors made the participants better at detecting English phishing emails. However, findings in the study suggests that the participants may have used non-language cues to identify the English phishing emails. Anti-phishing information security phishing survey Anti-phishing enkät informationssäkerhet phishing Information Systems, Social aspects
25	Effective Phishing Detection Using Machine Learning Approach Yaokai, Yang 01 February 2019 (has links) No description available. Computer Science
26	Nappar ditt företag på falskt bete? : En undersökning om hur små- och medelstora företag i Sverige skyddar sig mot phishing-mejl. Hägg, Filip, Johansson, Filip January 2023 (has links) Mängden phishing-mejl har ständigt ökat under de senaste åren, i synnerhet mot företag och organisationer. Syftet med denna studie är att undersöka hur små- och medelstora IT-mogna företag (SMF:er) i Sverige skyddar sig mot phishing-mejl, deras största utmaningar med detta, och hur de upplevt att deras utsatthet förändrats under de senaste åren. Genom denna undersökning har brister i hur SMF:erna skyddar sig identifierats och säkerhetsåtgärder som hanterar SMF:ernas utmaningar tagits fram. Data samlades in genom både litteraturstudie och semistrukturerade-intervjuer med sju respondenter från enskilda företag, där samtliga hade ansvar för någon del i informationssäkerhetsarbetet. Resultatet visar att verksamheterna skyddar sig främst genom att sprida information, medan enbart en minoritet av respondenterna utbildar sina anställda. Ingen av respondenterna hade någon policy som berör hantering av phishing, och användandet av grundläggande tekniska skydd är något som var en gemensam nämnare. Gällande utmaningar visar resultatet främst en svårighet i att upprätthålla medvetenheten bland de anställda, samt att identifiera vilka tekniska skyddslösningar som ska anpassas. Majoriteten av respondenterna upplever även en ökad utsatthet av phishing-mejl, vilket de flesta också tror kommer att öka i framtiden. Med den insamlade data från intervjuerna och befintlig litteratur har sedan en rekommendationslista med säkerhetsåtgärder tagits fram som bemöter de utmaningar som SMF:erna belyser. / The number of phishing emails has been constantly increasing in recent years, especially towards businesses and organizations. The purpose of this study is to investigate how small and medium-sized IT-mature enterprises (SMEs) in Sweden protect themselves against phishing emails, their biggest challenges regarding this, as well as how they perceive that their exposure to phishing emails has changed in recent years. Through this study, gaps in how SMEs protect themselves have been identified and as a result, a list of security measures that address the SMEs' challenges have been produced. Data was gathered by conducting a literature study in conjunction with semistructured interviews with seven respondents, all whom where from individual companies and had some responsibility for the information security work. The results show that all SMEs rely on information sharing as their primary method of protection against phishing emails, while only a small proportion invest in employee education. In addition, the SMEs use only basic technical security solutions and none of them have any dedicated policy for managing phishing. Regarding challenges, the results mainly show difficulties in maintaining awareness among employees and identifying which technical security solutions that should be adapted. Furthermore, most of the respondents perceive that the exposure to phishing emails has increased and believe it will continue doing so in the future. With the collected data from the interviews and the literature study, a list of recommended security measures has compiled which addresses the challenges highlighted by the SMEs. phishing phishing-emails social engineering social awareness education information security phishing phishing-mejl social engineering medvetenhetsutbildning informationssäkerhet Computer and Information Sciences Data- och informationsvetenskap
27	Det står att jag har ett paket att hämta ut, men jag har ju inte beställt någonting? - En kvalitativ intervjustudie om hur internetanvändare upptäcker och hanterar bedrägeriförsök på internet Sonnesjö, Amanda, Blomstedt, Olle January 2023 (has links) Dagens samhälle har blivit alltmer digitaliserat och en följd av detta är att de digitala bedrägerierna har ökat. Digitala bedrägerier kan ta olika former, men i denna studie begränsades de till phishing och dess underkategorier: spear phishing, vishing och smishing. Dessa är varianter på digitala bedrägerier där syftet är att lura användaren att lämna ut känslig information digitalt. Problemet som denna studie behandlade var att det fanns en kunskapsbrist hos människor gällande digitala bedrägerier, eftersom många fortfarande blev lurade. Syftet med studien blev därmed att bidra med ökad kunskap om hur digitala bedrägerier kan upptäckas av de som blivit utsatta och vad man som individ bör vara uppmärksam på. I studien löd därför forskningsfrågan: På vilka sätt försöker individer hantera de digitala hot som finns på internet? Samt med dess följande underfrågor: Vad gör individer för att identifiera digitala bedrägerier? Hur bedömer individer trovärdigheten i digitala interaktioner? För att besvara forskningsfrågan användes forskningsstrategin kartläggning. Kartläggningen genomfördes i form av semistrukturerade intervjuer och data samlades in om hur deltagarna försökte identifiera digitala bedrägerier. Datan analyserades med hjälp av tematisk analys. Studiens resultat visade att trots begränsad formell utbildning inom ämnet, verkade de flesta ha utvecklat liknande strategier för att upptäcka digitala bedrägerier. Många var dock osäkra om vilket skydd de hade mot dessa hot. Resultatet pekade på ett behov av mer information om digitala bedrägerier, särskilt för äldre. Studiens slutsatser framhåller behovet av att åtgärda den identifierade kunskapsluckan och understryker vikten av att individer är vaksamma och kritiska när det kommer till digitala interaktioner. Framtida åtgärder bör inriktas på att höja medvetenheten om digitala bedrägerier, utbilda individer om säkra metoder för digitala interaktioner och särskilt stödja dem som kan vara mer utsatta för dessa hot. Slutligen betonar studien vikten av att företag, myndigheter och organisationer tar ansvar för att hålla sig uppdaterade och ge information om potentiella digitala bedrägerier. Studien tillhör området informationssäkerhet inom data- och systemvetenskap. / Today's society has become increasingly digitized, and as a result, digital fraud has increased. Digital fraud can take various forms, but in this study, it was limited to phishing and its subcategories: spear phishing, vishing, and smishing. These are variations of digital fraud where the purpose is to deceive users into disclosing sensitive information digitally. The problem addressed in this study was the lack of knowledge among people regarding digital fraud, as many were still being deceived. The purpose of the study was therefore to contribute to increased awareness of how digital fraud can be detected by those who have been targeted and what individuals should be mindful of. Thus, the research question of the study was: In what ways do individuals attempt to manage the digital threats present on the internet? With the following sub-questions: What do individuals do to identify digital scams? How do individuals assess the credibility of digital interactions? To answer the research question, we used the research strategy survey. The survey was conducted in the form of semi-structured interviews, and data was collected on how the selected participants try to identify digital fraud and the collected material was analyzed using thematic analysis. The data was analyzed using thematic analysis. The study's findings indicated that despite limited formal education on the subject, most participants seemed to have developed similar strategies to detect digital fraud. However, many were unsure about the level of protection they had against these threats. The results highlighted the need for more information about digital fraud, especially for older individuals. The study's conclusions emphasize the necessity of addressing the identified knowledge gap and underscore the importance of individuals being vigilant and critical in their digital interactions. Future actions should focus on raising awareness about digital fraud, educating individuals on secure methods of digital interactions, and providing support to those who may be more vulnerable to these threats. Lastly, the study emphasizes the significance of companies, authorities, and organizations taking responsibility for staying updated and providing information about potential digital fraud. The study falls within the field of information security in data and systems science. Digital fraud phishing spear phishing vishing smishing and social engineering Digitala bedrägerier phishing spear phishing vishing smishing social engineering Computer Sciences Datavetenskap (datalogi)
28	Hur träning om phishing ändrar synen på ett säkert mail : En kvalitativ studie om hur mentala modeller av ett säkert mail förändras av träning om phishing / How training in phishing changes the perception of a secure email Andersson, Niklas January 2021 (has links) Denna studie undersökte hur den mentala modellen av ett säkert mail ser ut hos en användare som inte har tidigare träning inom informationssäkerhet. Deltagarna testades först en gång och fick sedan ta del av träningsmaterial om phishing, och blev sen testade igen för att se hur den mentala modellen förändrades. Detta uppnåddes med semistrukturerade intervjuer. Deltagarna blev tilldelade en roll att spela och visades sedan mail och blev ombedda att säga hur de, i sin roll, skulle hantera mailet. Intervjun var sedan strukturerad kring deras svar. Intervjuerna transkriberades ordagrant och analyserades med en innehållsanalys. Resultatet visade att före träning så bestod den mentala modellen av temana mailadress, bekantskap, utseende, relevans, länkar och språk. Efter träningen bestod den mentala modellen av temana mailadress, bekantskap, utseende, relevans, länkar, språk, filformat, begärd information och kontrollerbarhet. phishing spear phishing mail semi-structured interviews content analysis mental models phishing spear phishing mail semi-strukturerade intervjuer innehållsanalys mentala modeller Computer and Information Sciences Data- och informationsvetenskap
29	Robustifying Machine Learning based Security Applications Jan, Steve T. K. 27 August 2020 (has links) In recent years, machine learning (ML) has been explored and employed in many fields. However, there are growing concerns about the robustness of machine learning models. These concerns are further amplified in security-critical applications — attackers can manipulate the inputs (i.e., adversarial examples) to cause machine learning models to make a mistake, and it's very challenging to obtain a large amount of attackers' data. These make applying machine learning in security-critical applications difficult. In this dissertation, we present several approaches to robustifying three machine learning based security applications. First, we start from adversarial examples in image recognition. We develop a method to generate robust adversarial examples that remain effective in the physical domain. Our core idea is to use an image-to-image translation network to simulate the digital-to-physical transformation process for generating robust adversarial examples. We further show these robust adversarial examples can improve the robustness of machine learning models by adversarial retraining. The second application is bot detection. We show that the performance of existing machine learning models is not effective if we only have the limit attackers' data. We develop a data synthesis method to address this problem. The key novelty is that our method is distribution aware synthesis, using two different generators in a Generative Adversarial Network to synthesize data for the clustered regions and the outlier regions in the feature space. We show the detection performance using 1% of attackers' data is close to existing methods trained with 100% of the attackers' data. The third component of this dissertation is phishing detection. By designing a novel measurement system, we search and detect phishing websites that adopt evasion techniques not only at the page content level but also at the web domain level. The key novelty is that our system is built on the observation of the evasive behaviors of phishing pages in practice. We also study how existing browsers defenses against phishing websites that impersonate trusted entities at the web domain. Our results show existing browsers are not yet effective to detect them. / Doctor of Philosophy / Machine learning (ML) is computer algorithms that aim to identify hidden patterns from the data. In recent years, machine learning has been widely used in many fields. The range of them is broad, from natural language to autonomous driving. However, there are growing concerns about the robustness of machine learning models. And these concerns are further amplified in security-critical applications — Attackers can manipulate their inputs (i.e., adversarial examples) to cause machine learning models to predict wrong, and it's highly expensive and difficult to obtain a huge amount of attackers' data because attackers are rare compared to the normal users. These make applying machine learning in security-critical applications concerning. In this dissertation, we seek to build better defenses in three types of machine learning based security applications. The first one is image recognition, by developing a method to generate realistic adversarial examples, the machine learning models are more robust for defending against adversarial examples by adversarial retraining. The second one is bot detection, we develop a data synthesis method to detect malicious bots when we only have the limit malicious bots data. For phishing websites, we implement a tool to detect domain name impersonation and detect phishing pages using dynamic and static analysis. Machine learning Security Bot Detection Phishing Attacks
30	A Measurement Approach to Understanding the Data Flow of Phishing From Attacker and Defender Perspectives Peng, Peng 10 January 2020 (has links) Phishing has been a big concern due to its active roles in recent data breaches and state- sponsored attacks. While existing works have extensively analyzed phishing websites and detection methods, there is still a limited understanding of the data flow of the phishing process. In this thesis, we perform an empirical measurement to draw a clear picture of the data flow of phishing from both attacker and defender perspectives. First, from attackers' perspective, we want to know how attackers collect the sensitive information stolen from victims throughout the end-to-end phishing attack process. So we collected more than 179,000 real-world phishing URLs. Then we build a measurement tool to feed fake credentials to live phishing sites and monitor how the credential information is shared with the phishing server and potentially third-party collectors on the client side. Besides, we also obtain phishing kits to analyze how credentials are sent to attackers and third-parties on the server side. Then, from defenders' perspective, online scan engines such as VirusTotal are heavily used by phishing defenders to label phishing URLs, however, the data flow behind phishing detection by those scan engines is still unclear. So we build our own phishing websites, submit them to VirusTotal for scanning, to understand how VirusTotal works and the quality of its labels. Our study reveals the key mechanisms for information sharing during phishing attacks and the need for developing more rigorous methodologies to assess and make use of the labels obtained from VirusTotal. / Master of Science / Phishing attack is the fraudulent attempt to lure the target users to give away sensitive information such as usernames, passwords and credit card details. Cybercriminals usually build phishing websites (mimicking a trustworthy entity), and trick users to reveal important credentials. However, the data flow of phishing process is still unclear. From attackers' per- spective, we want to know how attackers collect the sensitive information stolen by phishing websites. On the other hand, from defenders' perspective, we are trying to figure out how online scan engines (e.g., VirusTotal) detect phishing URLs and how reliable their detection results are. In this thesis, we perform an empirical measurement to help answer the two questions above. By monitoring and analyzing a large number of real-world phishing websites, we draw a clear picture of the credential sharing process during phishing attacks. Also, by building our own phishing websites and submitting to VirusTotal for scanning, we find that more rigorous methodologies to use VirusTotal labels are desperately needed. Phishing Measurement Credential Sharing Online Scan Engines

Search results