A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
Augmenting Internet-Based Card Not Present Transactions with Trusted Computing (Extended Abstract)
Financial Cryptography and Data Security
A Demonstrative Ad Hoc Attestation System
ISC '08 Proceedings of the 11th international conference on Information Security
ISPEC '09 Proceedings of the 5th International Conference on Information Security Practice and Experience
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
F3ildCrypt: End-to-End Protection of Sensitive Information in Web Services
ISC '09 Proceedings of the 12th International Conference on Information Security
TruWallet: trustworthy and migratable wallet-based web authentication
Proceedings of the 2009 ACM workshop on Scalable trusted computing
Tunneled TLS for multi-factor authentication
Proceedings of the 11th annual ACM workshop on Digital rights management
Trusted computing enhanced user authentication with OpenID and trustworthy user interface
International Journal of Internet Technology and Secured Transactions
TruWalletM: secure web authentication on mobile platforms
INTRUST'10 Proceedings of the Second international conference on Trusted Systems
hPIN/hTAN: a lightweight and low-cost e-banking solution against untrusted computers
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
SessionJuggler: secure web login from an untrusted terminal using session hijacking
Proceedings of the 21st international conference on World Wide Web
SMARTPROXY: secure smartphone-assisted login on compromised machines
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.00 |
Current phishing attacks focus primarily on stealing user credentials such as passwords. In response, web sites are deploying stronger authentication and back-end analytics systems that make it harder for phishers to extract value from stolen passwords. As defenses against traditional phishing improve, we expect to see huge growth in the use of a different type of malware called a Transaction Generator (TG). Instead of relying on stolen credentials, a TG simply waits for the user to log in to his account and then issues transactions on behalf of the user. Since strong authentication is ineffective against TGs, mitigation must focus on transaction integrity. We discuss rootkit-like methods that allow TGs to hide their tracks, and explore a number of mitigation techniques, including transaction confirmation. These results suggest that recent identity systems such as CardSpace and OpenID must also address transaction integrity.