Rachna Dhamija's research while affiliated with Harvard University and other places

Publications (14)

Article
Web identity management systems are complex systems with powerful features - and many potential vulnerabilities. They aim to facilitate the management of identifiers, credentials, personal information, and the presentation of this information to other parties. In many schemes, an identity provider (IdP) issues identities or credentials to users, wh...
Conference Paper
Full-text available
In this paper, we propose and evaluate Use Your Illusion, a novel mechanism for user authentication that is secure and usable regard- less of the size of the device on which it is used. Our system relies on the human ability to recognize a degraded version of a previ- ously seen image. We illustrate how distorted images can be used to maintain the...
Article
We evaluate website authentication measures that are designed to protect users from man-in-the-middle, ?phishing?, and other site forgery attacks. We asked 67 bank customers to conduct common online banking tasks. Each time they logged in, we presented increasingly alarming clues that their connection was insecure. First, we removed HTTPS indicator...
Conference Paper
To build systems shielding users from fraudulent (or phishing) websites, designers need to know which attack strategies work and why. This paper provides the first empirical evidence about which malicious strategies are successful at deceiving general users. We first analyzed a large set of captured phishing attacks and developed a set of hypothese...
Conference Paper
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard...
Conference Paper
In this paper, we propose a new class of Human Interactive Proofs (HIPs) that allow a human to distinguish one computer from another. Unlike traditional HIPs, where the computer issues a challenge to the user over a network, in this case, the user issues a challenge to the computer. This type of HIP can be used to detect phishing attacks, in which...
Conference Paper
Full-text available
Spyware is a significant problem for most computer users. The term "spyware" loosely describes a new class of computer software. This type of software may track user activities online and offline, provide targeted advertising and/or engage in other types of activities that users describe as invasive or undesirable.While the magnitude of the spyware...
Conference Paper
We describe a new animation technique for supporting interactive exploration of a graph. We use the well-known radial tree layout method, in which the view is determined by the selection of a focus node. Our main contribution is a method for animating the transition to a new layout when a new focus node is selected. In order to keep the transition...
Article
We describe a new animation technique for supporting interactive exploration of a graph. We use the wellknown radial tree layout method, in which the view is determined by the selection of a focus node. Our main contribution is a method for animating the transition to a new layout when a new focus node is selected. In order to keep the transition e...
Article
Current secure systems suffer because they neglect the importance of human factors in security. We address a fundamental weakness of knowledge-based authentication schemes, which is the human limitation to remember secure passwords. Our approach to improve the security of these systems relies on recognition-based, rather than recall-based authentic...
Article
Although research in security has made tremendous progress over the past few years, most security systems still suffer by failing to account for human factors. People are slow and unreliable at processing long and meaningless strings, yet many security applications depend on this skill. For example, a major problem in user authentication is that pe...

Citations

... Finally, we have identified abusive behaviours PUP authors employ to distribute their programs through download portals. PUP: Early work on PUP focuses on what constitutes PUP [6][7][8] and its deceptive methods [45][46][47]. Research on PUP has recently revived with a number of papers examining PUP prevalence and its distribution through commercial PPI services. Thomas et al. [48] measured that ad-injectors, a type of PUP that modifies browser sessions to inject advertisements, affect 5% of unique daily IP addresses accessing Google. ...
... An active attacker equipped with an omnidirectional or directional antenna impersonates the legitimate user and sends a fake command (e.g., DoS command or fake data) to the AP. Traditional approaches mainly rely on the complex encryption algorithm, which will lead to computational resources and energy waste [3,5] and are not feasible for simply designed IoT devices. Alternatively, ne-grained physical-layer signatures, such as angle of arrival (AoA) [27], channel state information CSI [7] and received signal strength (RSS) [1,2] have recently received much attention to mitigating these threats. ...
... Despite this recognition, there is little or no attempt to integrate those two factors into a single design method. Some guidelines, recommendations, and best practices exist [3,10,13,28], but their effective integration remains the designer's responsibility. ...
... or insecurely) or to someone trusted (resp. or untrusted). 2 Schechter et al. (2007) evaluated different connection security indicators and warnings, finding that participants failed to recognize the absence of a HTTPS indicator. Even when a warning page was displayed, suggesting that it may be unwise to visit an untrusted website whose certificate is invalid or expired, potentially suggesting that the website is not what it claims to be or that its identity was certified a long time ago and might have changed, many participants still took the risky action of visiting the website. ...
... In those periods, many attackers can also strike and cause harm. For example, when the players will go through the front door to the building, the attacker might ask them to hold the door for them, so he does not need to look for his RFID 5 card to open them. Another test might be a problem when the players have to destroy some important documents. ...
... Similarly, SpoofGuardis another browser plugin that examines webpagesandwarnsuserswhenwebpageshaveahighprobabilityofbeingspoofs, based on their URL, images, and links. However, SpoofGuard checks can be evaded by simple modifications to spoof pages [5] . ...
... Eiji Hayashi et al. designed a novel secure mechanism for user authentication that can be used with any screen size [19]. In the proposed model the user chooses a set of images as a graphical password. ...
... One of the earliest researches carried out was Dhamija et al. (2005). The authors identified inadequate knowledge of computer systems, inadequate knowledge of computer security, and computer security indicators as reasons why people fell victim. ...
... Privacy policies are commonly lengthy and have a difficult-tounderstand language [20,21], and this complex and wordy format leads to users ignoring such information [53] in order to contain digital production objectives [55,56,68]. Users often think of the privacy policy as a nuisance or an obstacle to their way of accessing a specific service and do not see any uses or benefits in reading them [29,55]. With the increase of emphasis on the data protection coming from the regulators, these texts are only getting longer [4]. ...
... The approach we present in this paper focuses on two explanations. The first explanation is a dynamic analysis of the evolving situation, primarily based on the tree aspect, and works with a radial tree representation (Yee et al., 2001). The second explanation is a static analysis that tries to identify the relevant situation elements using the Lime (Local Interpretable Model Agnostic Explanations) approach (Christoforos Anagnostopoulos, 2020). ...