Defeating Active Phishing Attacks for Web-Based Transactions

Till now, the best defense against phishing is the use of two-factor authentication systems. Yet this protection is short-lived and comparatively weak. The absence of a fool-proof solution against man-in-the-middle, or active phishing, attacks have resulted in an avalanche of security practitioners painting bleak scenarios where active phishing attacks cripple the growth of Web-based transactional systems. Even with vigilant users and prudent applications, no solutions seem to have addressed the attacks comprehensively. In this article, we propose the new two-factor interlock authentication protocol (TIAP), adapted from the interlock protocol with two-factor authentication, which is able to defend successfully against active phishing attacks. We further scrutinize the TIAP by simulating a series of attacks against the protocol and demonstrate how each attack is defeated.

[1]  Greg Goth Phishing attacks rising, but dollar losses down , 2005, IEEE Security & Privacy.

[2]  Yun Wang,et al.  Statistical Techniques for Network Security: Modern Statistically-Based Intrusion Detection and Protection , 2008 .

[3]  Amir Herzberg Web spoofing and phishing attacks and their prevention , 2004, Proceedings of the Fifth Mexican International Conference in Computer Science, 2004. ENC 2004..

[4]  Hamid R. Nemati International Journal of Information Security and Privacy , 2007 .

[5]  Steven M. Bellovin Spamming, phishing, authentication, and privacy , 2004, CACM.

[6]  Adi Shamir,et al.  How to expose an eavesdropper , 1984, CACM.

[7]  Steven M. Bellovin,et al.  An attack on the Interlock Protocol when used for authentication , 1994, IEEE Trans. Inf. Theory.

[8]  David Geer Is it time for clockless chips? [Asynchronous processor chips] , 2005, Computer.

[9]  Xiaotie Deng,et al.  Phishing Web page detection , 2005, Eighth International Conference on Document Analysis and Recognition (ICDAR'05).

[10]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[11]  David Geer Security technologies go phishing , 2005, Computer.

[12]  Yu Wang Exploring Network Data , 2009 .

[13]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  Christopher Krügel,et al.  Protecting users against phishing attacks with AntiPhish , 2005, 29th Annual International Computer Software and Applications Conference (COMPSAC'05).

[15]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[16]  T. Okamoto,et al.  A novel mail filtering method against phishing , 2005, PACRIM. 2005 IEEE Pacific Rim Conference on Communications, Computers and signal Processing, 2005..