Description | Download | Usability Study | Project Staff |
Problems caused by Phishing and Pharming. Phishing and Pharming, the leading threats to identity theft, result in losses of millions of dollars each year. Many solutions have been proposed to guard against these attacks. Among them, password-based solutions may require additional hardware and are still vulnerable to man-in-the-middle attack; multi-challenge/response based solutions are mostly complicated and may also be susceptible to denial-of-service attacks; and detection-based solutions are ineffective if users dismiss warnings generated by these solutions.
A Novel lightweight Solution. We present a novel
lightweight password-based solution that safeguards users from Phishing
and Pharming attacks. The proposed authentication relies on a hashed
password, which is the hash value of the user-typed password and the
authentication server’s IP address. If a user is unknowingly directed
to a malicious server by a phishing or pharming attack, the password
obtained by the malicious server will be tied to the malicious server’s
IP address and will not be usable by the attacker at the real server,
and hence, the phishing/pharming attack will be defeated. The proposed
solution does not increase the number of authentication messages
exchanged, nor requires addition hardware tokens. The solution is also
safe against denial-of-service attacks since no state is maintained on
server side during the authentication process. The solution is not
affected if a server has multiple IP addresses and conducts load
balancing as long as the authentication process is proceeded with one
single IP address. We have prototyped our design both as a web
browser’s plug-in and as a standalone application. A comprehensive user
study was conducted, and the results show that the design is easy to
use and users have shown willingness to use the application to protect
their passwords.
Here is the technical paper
describing this research.
Please note: These prototypes are intended for demonstration purposes only. It may have security vulnerabilities and programming bugs. As for the browser plugin prototype, we built it based on PwdHash model developed by Ross et al.. We reused their basic key-hook framework (that means the usages are the same), and replaced some functions according to our own needs. Details of useage please see User Manual.