Introduction to Modern Information Retrieval
Introduction to Modern Information Retrieval
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Do security toolbars actually prevent phishing attacks?
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Web wallet: preventing phishing attacks by revealing user intentions
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
OpenID 2.0: a platform for user-centric identity management
Proceedings of the second ACM workshop on Digital identity management
Detecting Phishing Web Pages with Visual Similarity Assessment Based on Earth Mover's Distance (EMD)
IEEE Transactions on Dependable and Secure Computing
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Cantina: a content-based approach to detecting phishing web sites
Proceedings of the 16th international conference on World Wide Web
Learning to detect phishing emails
Proceedings of the 16th international conference on World Wide Web
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Security of web browser scripting languages: vulnerabilities, attacks, and remedies
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Beamauth: two-factor web authentication with a bookmark
Proceedings of the 14th ACM conference on Computer and communications security
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
ECC-based anti-phishing protocol for cloud computing services
International Journal of Security and Networks
Hi-index | 0.00 |
Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users' account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users' passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naive way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset password? In this paper, we propose a practical authentication service that eliminates the need for preset user passwords during the authentication process. By leveraging existing communication infrastructures on the Internet, i.e., the instant messaging service, it is only necessary to deploy the proposed scheme on the server side. We also show that the proposed solution can be seamlessly integrated with the OpenID service so that websites supporting OpenID benefit directly from the proposed solution. The proposed solution can be deployed incrementally, and it does not require client-side scripts, plug-ins, nor external devices. We believe that the number of phishing attacks could be reduced substantially if users were not required to provide their own passwords when accessing web pages.