Evaluating a trial deployment of password re-use for phishing prevention
Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit
Itrustpage: a user-assisted anti-phishing tool
Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems 2008
BogusBiter: A transparent protection against phishing attacks
ACM Transactions on Internet Technology (TOIT)
Secret information display based authentication technique towards preventing phishing attacks
Proceedings of the International Conference on Advances in Computing, Communications and Informatics
Preventing the revealing of online passwords to inappropriate websites with logininspector
lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques
Hi-index | 0.00 |
A phishing attack exploits both the enormous scale of the web and the fact that users are often enormously confused about what they can trust. Scale allows the phisher to get many responses to his attack, even though the probability of any given user responding is low (it costs the phisher no more to send a million emails than to send one). The enormous confusion about trust allows the phisher make a copy of a bank web-site look as trustworthy to the victim as the original. Previous approaches to this problem have tried to solve the problem by preventing useful information leaking to the phisher; for example by alerting the user to suspicious or low reputation sites. Generally this is done at the client (typically in a browser plugin or add-on). We propose a scheme that in several respects is a radical departure from previous approaches. First, we make no attempt to prevent information leakage. Rather, we try to detect and then rescue users from the consequences of bad trust decisions. Second, we harness scale against the attacker instead of trying to solve the problem at each client. Thus our scheme increases in efficacy with the scale of deployment: it offers very little protection if a small fraction of users participate, but makes phishing almost impossible as the deployment increases. Finally, we make clear that small trials of our system would prove little. The scale requirements of Password Rescue make it suitable for large deployment or not at all. HotSec seems like the best forum for such ideas.