Yuan Niu: UC Davis › Research

Yuan Niu
Department of Computer Science
University of California, Davis
Davis, 95616
http://midgard.cs.ucdavis.edu/~niu

Phishing on Internet Ready Consumer Devices

People
Faculty: Hao Chen
Students: Yuan Niu and Francis Hsu

Overview
More and more consumer devices are being equipped with the ability to access the Internet and many services previously limited to personal computers, such as online banking, are being ported to more mobile platforms. We examined three devices and their browsers: iPhone (Safari), Nintendo DS (Opera), and Nintendo Wii (Opera).

These devices are limited by the following factors:

Screen size: Content pane is maximized at the cost of other information. The URL or address bar is usually the portion that can disappear. The URL displayed usually can't be seen completely because of the width of the address bar.
Input: No keyboard and mouse can be used (except maybe the Wii) to faciliate typing and clicking. Input is less precise and slower compared to keyboards.
Updates: Browsers run on restricted software platforms. Users cannot download add-ons to extend or customize the browser. In some cases, updates to the software is impossible.

We examined the iPhone in detail because it's the most likely to be used for online banking and because of its popularity. We found vulnerabilities in the following categories:

User Input: Typing is a tedious process and makes it more tempting for users to follow links in e-mails rather than typing the URLs manually. The lack of shortcuts makes application switching slower than the almost instaneous process on desktops, again making it tempting to follow links if possible.
URL Truncation: If URLs are too long, a substantial middle portion of the URL is truncted and replaced with "..." with no way to expand the truncated section in hover mode. In normal display mode, only the first portion of the URL that fits in the address bar is displayed.
Address Bar: The browser scrolls the address bar along with the page content. A simple Javascript scrollTo() trick can hide the address bar on page load. This is DESIRED behavior, and we've observed its use on the Bank of America, Amazon, and Facebook mobile page verions.
Chrome simplicity: Because the address bar is not a permanent feature, by using the scrollTo() trick and a Javascript listener, we can force the page to scroll to an arbitrary location with a faked address bar.
SSL: If a site yields an SSL certificate error, the user has no choice except to proceed or cancel. There is no way to see the reason for the error or to examine the certificate.

Publications
iPhish: Phishing Vulnerabilities on Consumer Electronic Devices.
Yuan Niu, Francis Hsu, and Hao Chen.
Proceedings of the Usability, Psychology, and Security Workshop (UPSEC '08).