The cuckoo's egg: tracking a spy through the maze of computer espionage
The cuckoo's egg: tracking a spy through the maze of computer espionage
Securing passwords against dictionary attacks
Proceedings of the 9th ACM conference on Computer and communications security
IEEE Internet Computing
Pricing via Processing or Combatting Junk Mail
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Protecting Sensitive Knowledge By Data Sanitization
ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Designing Good Deceptions in Defense of Information Systems
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
CompChall: Addressing Password Guessing Attacks
ITCC '05 Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume I - Volume 01
ACM Transactions on Information and System Security (TISSEC)
The battle against phishing: Dynamic Security Skins
SOUPS '05 Proceedings of the 2005 symposium on Usable privacy and security
Fast dictionary attacks on passwords using time-space tradeoff
Proceedings of the 12th ACM conference on Computer and communications security
Denial of service via algorithmic complexity attacks
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Some Problems in Sanitizing Network Data
WETICE '06 Proceedings of the 15th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
Inconsistency in deception for defense
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Learning to identify emotions in text
Proceedings of the 2008 ACM symposium on Applied computing
Robust De-anonymization of Large Sparse Datasets
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Kwyjibo: automatic domain name generation
Software—Practice & Experience
Panic passwords: authenticating under duress
HOTSEC'08 Proceedings of the 3rd conference on Hot topics in security
CLAMP: Practical Prevention of Large-Scale Data Leaks
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Remote timing attacks are practical
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web security
Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds
Proceedings of the 16th ACM conference on Computer and communications security
Learning more about the underground economy: a case-study of keyloggers and dropzones
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
How Good Are Humans at Solving CAPTCHAs? A Large Scale Evaluation
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Relationships and data sanitization: a study in scarlet
Proceedings of the 2010 workshop on New security paradigms
Re: CAPTCHAs: understanding CAPTCHA-solving services in an economic context
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Implicit authentication through learning user behavior
ISC'10 Proceedings of the 13th international conference on Information security
Text-based CAPTCHA strengths and weaknesses
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the 2011 workshop on New security paradigms workshop
Revisiting Defenses against Large-Scale Online Password Guessing Attacks
IEEE Transactions on Dependable and Secure Computing
A user-friendly approach to human authentication of messages
FC'05 Proceedings of the 9th international conference on Financial Cryptography and Data Security
Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting
SP '13 Proceedings of the 2013 IEEE Symposium on Security and Privacy
Hi-index | 0.00 |
Automated online password guessing attacks are facilitated by the fact that most user authentication techniques provide a yes/no answer as the result of an authentication attempt. These attacks are somewhat restricted by Automated Turing Tests (ATTs, e.g., captcha challenges) that attempt to mandate human assistance. ATTs are not very difficult for legitimate users, but always pose an inconvenience. Several current ATT implementations are also found to be vulnerable to improved image processing algorithms. ATTs can be made more complex for automated software, but that is limited by the trade-off between user-friendliness and effectiveness of ATTs. As attackers gain control of large-scale botnets, relay the challenge to legitimate users at compromised websites, or even have ready access to cheap, sweat-shop human solvers for defeating ATTs, online guessing attacks are becoming a greater security risk. Using deception techniques (as in honeypots), we propose the user-verifiable authentication scheme (Uvauth) that tolerates, instead of detecting or counteracting, guessing attacks. Uvauth provides access to all authentication attempts; the correct password enables access to a legitimate session with valid user data, and all incorrect passwords lead to fake sessions. Legitimate users are expected to learn the authentication outcome implicitly from the presented user data, and are relieved from answering ATTs; the authentication result never leaves the server and thus remains (directly) inaccessible to attackers. In addition, we suggest using adapted distorted images and pre-registered images/text as a complement to convey an authentication response, especially for accounts that do not host much personal data.