How to Make Personalized Web Browising Simple, Secure, and Anonymous
FC '97 Proceedings of the First International Conference on Financial Cryptography
Secure Applications of Low-Entropy Keys
ISW '97 Proceedings of the First International Workshop on Information Security
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
The Emperor's New Security Indicators
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Password rescue: a new approach to phishing prevention
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Countering identity theft through digital uniqueness, location cross-checking, and funneling
FC'05 Proceedings of the 9th international conference on Financial Cryptography and Data Security
Temporal correlations between spam and phishing websites
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
| Hi-index | 0.00 |
We propose a scheme that exploits scale to prevent phishing. We show that while stopping phishers from obtaining passwords is very hard, detecting the fact that a password has been entered at an unfamiliar site is simple. Our solution involves a client that reports Password Re-Use (PRU) events at unfamiliar sites, and a server that accumulates these reports and detects an attack. We show that it is simple to then mitigate the damage by communicating the identities of phished accounts to the institution under attack. Thus, we make no attempt to prevent information leakage, but we try to detect and then rescue users from the consequences of bad trust decisions. The scheme requires deployment on a large scale to realize the major benefits: reliable low latency detection of attacks, and mitigation of compromised accounts. We harness scale against the attacker instead of trying to solve the problem at each client. In [13] we sketched the idea, but questions relating to false positives and the scale required for efficacy remained unanswered. We present results from a trial deployment of half a million clients. We explain the scheme in detail, analyze its performance, and examine a number of anticipated attacks.