SECURITY AGAINST DECEPTIVE PHISHING

Introduction

Online presence of financial and business institutions Theft of confidential information leading to direct or indirect loss to the user Increase in the rate of thefts by hacking, phishing, spyware, etc.

PHISHING

Tricks the unsuspecting users Makes them reveal confidential information The phisher impersonates the user for his advantage

Types of Phishing
Deceptive Phishing The most common vector is email Phisher sends deceptive email in bulk that demands the recipient to click on a link The web site to which the user is directed collects the users confidential information

Phishing site

Username:

link
email

Password:

Database

phisher Fig explaining illustration of Deceptive phishing

Types of Phishing(contd.)
Malware attacks Key Loggers Session Hijackers Web Trojans Data Theft DNS-based attacks or Pharming

Password Phishing Problem

Users cannot reliably identify fake sites Captured password can be used at target site Major problem to financial institutions online presence

Password Phishing Problem

Bank A

pwdA

pwdA
Fake Site

Common Password Problem

Bank A

pwdA pwdB
=

pwdA

Site B

Users have the same password for many sites

CASE STUDY

Source: Federal Trade Commission USA March 22 2004 Committed by Zachary Hill of Houston Hill sent out official looking e-mail notices warning American online and Pay pal users to update their account to avoid cancellation. At the fake site he collected sensitive information like SSN, back account numbers etc He duped 400 users out ,of at least $75,000

Password Hashing

Transmit the clear text password Password hashing Uses hashed password and domain Generates unique password for each site

S E PASSWORD Pwd ,dom PWDHASH Hashed password

NETWORK

R V E R

fig explaining the flow of the password in the network using password hashing

Implementing PwdHash
Two stage encryption process First stage based on clear text password Second stage involves the domain name PwdH(E(pwd),dom)Domain Specific Password

Structure of PwdHash

Characteristics

PwdHash (pwd, dom) pwd <= clear text password dom<= domain or site PwdHash(pwd,dom1) different from PwdHash(pwd,dom2)

pwdA pwdB
Site B =

Conclusion

We can counter phishing problem and tackle common password problem We will be able to generate strong passwords to make cracking of password difficult Generate different passwords for different domains even when user password is common.