Skip to main content
SpringerLink
Log in

Phoolproof Phishing Prevention

  • Conference paper
Financial Cryptography and Data Security (FC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4107))

Included in the following conference series:

Abstract

Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing reports in August 2005, a 56% jump over the number of reports in December 2004 [3]. For financial institutions, phishing is a particularly insidious problem, since trust forms the foundation for customer relationships, and phishing attacks undermine confidence in an institution.

Phishing attacks succeed by exploiting a user’s inability to distinguish legitimate sites from spoofed sites. Most prior research focuses on assisting the user in making this distinction; however, users must make the right security decision every time. Unfortunately, humans are ill-suited for performing the security checks necessary for secure site identification, and a single mistake may result in a total compromise of the user’s online account. Fundamentally, users should be authenticated using information that they cannot readily reveal to malicious parties. Placing less reliance on the user during the authentication process will enhance security and eliminate many forms of fraud.

We propose using a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts Man-in-the-Middle attacks after setup, and protects a user’s account even in the presence of keyloggers and most forms of spyware.We demonstrate the practicality of our system with a prototype implementation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Verified by VISA, http://usa.visa.com/personal/security/vbv/how_it_works

  2. Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  3. Anti-Phishing Working Group. Phishing activity trends report. http://antiphishing.org/apwg_phishing_activity_report_august_05.pdf

  4. Bluetooth SIG. Bluetooth Technology Benefits, http://www.bluetooth.com/Bluetooth/Learn/Benefits/

  5. Chou, N., et al.: Client-side defense against web-based identity theft. In: NDSS (February 2004)

    Google Scholar 

  6. CitiBank. Virtual account numbers, http://www.citibank.com/us/cards/tour/cb/shp_van.htm

  7. Clayton, R.: Who’d phish from the summit of kilimanjaro? In: Clayton, R. (ed.) Financial Cryptography, pp. 91–92 (2005)

    Google Scholar 

  8. Core Street. Spoofstick, http://www.corestreet.com/spoofstick/

  9. Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: ACM Symposium on Usable Security and Privacy SOUPS 2005) (July 2005)

    Google Scholar 

  10. Dhamija, R., Tygar, J.D.: Phish and HIPs: Human interactive proofs to detect phishing attacks. In: Human Interactive Proofs: Second International Workshop (HIP 2005) (2005)

    Google Scholar 

  11. Dierks, T., Allen, C.: The TLS protocol version 1.0. Internet Request for Comment RFC 2246, Internet Engineering Task Force, Proposed Standard (January 1999)

    Google Scholar 

  12. eBay: eBay toolbar, http://pages.ebay.com/ebay_toolbar

  13. FDIC. Authentication in an internet banking environment. Technical Report FIL-103-2005, Federal Deposit Insurance Corporation (October 2005)

    Google Scholar 

  14. Freier, A., Kariton, P., Kocher, P.: The SSL protocol: Version 3.0. Internet draft, Netscape Communications (1996)

    Google Scholar 

  15. Genkina, A., Friedman, A., Camp, J.: Net trust. In: Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop (June 2005)

    Google Scholar 

  16. Goth, G.: Phishing attacks rising, but dollar losses down. IEEE Security and Privacy 3(1), 8 (2005)

    Article  Google Scholar 

  17. Haller, N.: The S/Key one-time password system. In: Proceedings of the Symposium on Network and Distributed Systems Security, February 1994, pp. 151–157 (1994)

    Google Scholar 

  18. Herzberg, A., Gbara, A.: Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155 (2004)

    Google Scholar 

  19. Jakobsson, M.: Modeling and preventing phishing attacks. In: Financial Cryptography (2005)

    Google Scholar 

  20. Jakobsson, M., Young, A.: Distributed phishing attacks. In: Workshop on Resilient Financial Information Systems (March 2005)

    Google Scholar 

  21. Johanson, E.: The state of homograph attacks (February 2005), http://www.shmoo.com/idn/homograph.txt

  22. Leyden, J.: Fax-back phishing scam targets paypal, http://www.channelregister.co.uk/2005/08/11/fax-back_phishing_scam/

  23. Leyden, J.: Spear phishers launch targeted attacks, http://www.theregister.co.uk/2005/08/02/ibm_malware_report/

  24. MacKenzie, P., Reiter, M.K.: Networked cryptographic devices resilient to capture. International Journal of Information Security 2(1), 1–20 (2003)

    Article  Google Scholar 

  25. McCune, J.M., Perrig, A., Reiter, M.K.: Seeing is believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (May 2005)

    Google Scholar 

  26. Microsoft. Erroneous VeriSign-issued digital certificates pose spoofing hazard (2001), http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

  27. Modadugu, N., Boneh, D., Kim, M.: Generating RSA keys on a handheld using an untrusted server. In: RSA Conference 2000 (January 2000)

    Google Scholar 

  28. Myers, S.: Delayed password disclosure. In: Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop (June 2005)

    Google Scholar 

  29. Out-law.com. Phishing attack targets one-time passwords, http://www.theregister.co.uk/2005/10/12/outlaw_phishing/

  30. Passmark Security. Protecting your customers from phishing attacks: an introduction to passmarks (2005), http://www.passmarksecurity.com/

  31. Roberts, P.F.: Spear phishing attack targets credit unions (December 2005), http://www.eweek.com/article2/0,1895,1902896,00.asp

  32. Rohs, M., Gfeller, B.: Using camera-equipped mobile phones for interacting with real-world objects. In: Proceedings of Advances in Pervasive Computing

    Google Scholar 

  33. Ross, B., et al.: Stronger password authentication using browser extensions. In: 14th USENIX Security Symposium (August 2005)

    Google Scholar 

  34. Security, R.S.A.: Protecting against phishing by implementing strong two-factor authentication (2004), https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf

  35. Seshadri, A., et al.: Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In: Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2005, pp. 1–16 (2005)

    Google Scholar 

  36. Sophos. Do-it-yourself phishing kits found on the internet, reveals sophos, http://www.sophos.com/spaminfo/articles/diyphishing.html

  37. Standish, D.: Telephonic youth, http://www.techcentralstation.com/090903C.html

  38. The Legion of the Bouncy Castle. Bouncy Castle crypto APIs, http://www.bouncycastle.org

  39. Waterken Inc. Petname tool (2005), https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf

  40. Wikipedia. Phishing, http://en.wikipedia.org/wiki/Phishing

  41. Wu, M., Garfinkel, S., Miller, R.: Users are not dependable - how to make security indicators to better protect them. In: Talk presented at the Workshop for Trustworthy Interfaces for Passwords and Personal Information (June 2005)

    Google Scholar 

  42. Yan, J., et al.: Password memorability and security: Empirical results. IEEE Security and Privacy 2(5), 25–31 (2004)

    Article  Google Scholar 

  43. Ye, E., Smith, S.: Trusted paths for browsers. In: Proceedings of the 11th USENIX Security Symposium (August 2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Carnegie Mellon University,  

    Bryan Parno, Cynthia Kuo & Adrian Perrig

Authors
  1. Bryan Parno
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cynthia Kuo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adrian Perrig
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Telcordia Technologies, Piscataway, NJ, USA

    Giovanni Di Crescenzo

  2. Johns Hopkins University (JHUISI), 3100 Wyman Park Drive, 21211, Baltimor, MD, USA

    Avi Rubin

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Parno, B., Kuo, C., Perrig, A. (2006). Phoolproof Phishing Prevention. In: Di Crescenzo, G., Rubin, A. (eds) Financial Cryptography and Data Security. FC 2006. Lecture Notes in Computer Science, vol 4107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11889663_1

Download citation

  • DOI: https://doi.org/10.1007/11889663_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-46255-2

  • Online ISBN: 978-3-540-46256-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation