pwdIP-Hash-NCA10 - PwdIP-Hash A Lightweight Solution to...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
PwdIP-Hash A Lightweight Solution to Phishing and Pharming Attacks Baber Aslam, Lei Wu and Cliff C. Zou University of Central Florida, Orlando, FL, USA Abstract— We present a novel lightweight password-based solution that safeguards users from Phishing and Pharming attacks. The proposed authentication relies on a hashed password, which is the hash value of the user-typed password and the authentication server’s IP address. The solution rests on the fact that the server connected by a client using TCP connection cannot lie about its IP address. If a user is unknowingly directed to a malicious server (by a Phishing or a Pharming attack), the password obtained by the malicious server will be the hashed- password (tied to the malicious server’s IP address) and will not be usable by the attacker at the real server thus defeating Phishing/Pharming attack. The proposed solution does not increase the number of exchanged authentication messages, nor does it need hardware tokens as required by some previously proposed solutions. The solution is also safe against denial-of- service attacks since no state is maintained on server side during the authentication process. We have prototyped our design both as a web browser’s plug-in and as a standalone application. A comprehensive user study was conducted. The results show that around 95% of users think the proposed solution is easy to use and manage. Further, around 79% of users have shown willingness to use the application to protect their passwords. Keywords- design; web security; usability; Phishing; Pharming; password authentication I. INTRODUCTION Today, every user has multiple online accounts (such as email, social networking, online banking, remote working etc) to serve her different needs. All these accounts contain some personal sensitive information which if stolen can be used by attackers for monetary or other purposes. Every year millions of dollars are lost due to Internet related crimes (or Identity thefts) [1]. Among various identity theft attacks, the major threats are Phishing and Pharming . Both Phishing and Pharming aim at stealing a user’s sensitive information by directing her to a malicious but seemingly legitimate website. Phishing starts with a spam (but seemingly legitimate) email; it uses social engineering to obtain user’s sensitive information either using forms within the email or luring a user to a malicious (but seemingly legitimate) website via a link within the email. Pharming, on the other hand, uses Internet (DNS servers, DNS resolvers, web servers etc) vulnerabilities to direct a user to a malicious website. Pharming is more dangerous since a user may be unknowingly taken to a malicious website even if she types the correct web address. SSL/TLS is mostly being used to provide authentication
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 6

pwdIP-Hash-NCA10 - PwdIP-Hash A Lightweight Solution to...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online