Professional Documents
Culture Documents
Security Against Deceptive Phishing: Submitted
Security Against Deceptive Phishing: Submitted
Security Against Deceptive Phishing: Submitted
Submitted
BY
D.Nikhitha
11UC15802
Department of computer science and Engineering Talla Padmavathi College of Engineering WARANGAL(A.P.)
ABSTRACT
Phishing is online identity theft in which confidential information is obtained from an individual. Phishing for passwords is worthwhile only if the password sent to the phishing server is also useful at a legitimate site. One way to prevent phishers from collecting useful passwords is to encode user passwords according to where they are used, and transmit only an encoded password to a web site. An implementation of this idea is called password hashing. In password hashing, password information is hashed together with the domain name to which it is going before it is transmitted, so that the actual transmitted passwords can be used only at the domain receiving the password data.
As financial institutions have increased their online presence, the economic value of compromising account information has increased dramatically. Phishers target many kinds of confidential information, including user names and passwords, social security numbers, credit card numbers, bank account numbers, and personal information. The US Secret Service and the San Francisco Electronic Crimes Task Force report that approximately 30 attack sites are detected each day. Each attack site may be used to defraud hundreds or thousands of victims, and it is likely that many attack sites are never detected. A typical phishing attack begins with bulk email to a group of unsuspecting victims. Victims of the phishing attack then follow a link in the email message to connect to a spoofed site. Once a victim enters his or her user name and password on the spoof site, the criminal has then means to impersonate the victim.
1.1
TYPES OF PHISHING :
Phishing includes many different types of attacks, mainly: Deceptive attacks, in which users are tricked by fraudulent messages into giving out information; Malware attacks, in which malicious software causes data compromises; and DNS-based attacks, in which the lookup of host names is altered to send users to a fraudulent server.
Data Theft: Once malicious code is running on a user users computer, it can directly steals confidential information stored on the computer. Such information can include passwords.
database
Phisher
1.1.2 Password Phishing Heres a problem that you may be familiar with. A user arrives at an officiallooking web site, perhaps after clicking a link in a fraudulent email or mistyping a web address. The user thinks that theyre at a bank site, but actually theyre giving their password to the fake site controlled by a malicious criminal. Once the user gives away their password, the attacker can now log in to the real bank with the users account. These types of identity theft attacks are called phishing attacks and have become very common in recent years. So we have a situation where the security of the users password is only as strong as the least secure site where the password is used.
Password phishing attacks begin with a bulk email asking the user to update some information in the site. The email also contains a link to the fraudulent site
feigning to be the original site. When the user enters the site by clicking it, the site prompts for the username and password, thus making the user to reveal it. So the phisher can use this knowledge to impersonate the innocent user and access the users account on the original site. Users commonly use the same password on multiple sites, so stolen username and password data from one site can be reused on another.
Illustrtion of Phishing problem 11.3Common password problem Heres another related, but different attack. Our user has online accounts at many different sites, and because it is difficult to remember a unique password for every site, she uses the same password at her bank and at her newspapers login page. Maybe the newspaper login page isnt protected by SSL for performance reasons, or maybe the passwords are stored in the clear on the newspaper server. Maybe a successful phishing attack was executed on the newspaper site, or perhaps the newspaper itself is owned by a nefarious villain who wants to sell these passwords to
the highest bidder. In any case, the security of the bank site is compromised by the lowsecurity site, because the user has a common password at both sites. So we have a situation where the security of the users password is only as strong as the least secure site where the password is used. Merely beefing up security at the banks server wont help us very much. What we need is a client-side security solution to protect the bank password from being given to the newspaper.
has encountered, it was a good development in the direction of overcoming phishing rather than trying to prevent or avoid it. Password Hashing was also implemented by using SSL certificates of the domain as the salt. This provides good security until the authenticity of the certificate comes into question. Also many small organizations do not have any SSL certificates. So users who wanted to log into such sites had to go unprotected. Thus there was a need for a solution that overcomes these incompatibilities. Our concept is designed to protect the ordinary user. We have implemented Password Hashing by taking the domain name of the site hosting the current page as the salt. This new direction gave us two advantages. Firstly, user had different passwords for different domains. So, even after successful phishing at one site, the phisher could not access any other account of the user other than the one which he had secured the password of. Secondly, it was not possible for the phisher to extract the users password for a domain because the salt was different for the original domain and the phishing site. Thus, the password obtained by the phisher became worthless. He could not log on to the original domain with the phished password. Thus Password Hashing was helpful to thwart the phishing attacks successfully.
Phishing for passwords is worthwhile only if the password sent to the phishing server is also useful at a legitimate site. One way to prevent phishers from collecting useful passwords is to encode user passwords according to where they are used, and transmit only an encoded password to a web site. Thus, a user could type in the same 9
password for multiple sites, but each site including a phishing site would receive a differently encoded version of the password. An implementation of this idea is called password hashing. In password hashing, password information is hashed together with the domain name to which it is going before it is transmitted, so that the actual transmitted passwords can be used only at the domain receiving the password data Password hashing involves two encryption process. Cleartext password is given as input which undergoes encryption process. Encrypted password along with domain is given as input to hash algorithm which gives output as domain specific password.
This application can address two problems. They are . 1. Phishing attack: A user arrives at an official-looking web site, perhaps after clicking a link in a fraudulent email or mistyping a web address. The user thinks that theyre at a bank site, but actually theyre giving their password to the fake site controlled by a malicious criminal. Once the user gives away their password, the attacker can now log in to the real bank with the users account. These types of identity theft attacks are called phishing attacks and have become very common in recent years.
The security properties of the hash function make it hard for an attacker to recover the original password using only the hashed version as we develop different passwords for different domain, that is password of original site is different from fake site because of change in domain names . Thus, we protect against a password phishing attack, as long as the phishing site has a different domain name from the original site. 10
2.
Common password problem: The user has online accounts at many different sites, and because it is difficult to remember a unique password for every site, he uses the same password at his bank and at his blog. Maybe the passwords at the blog are stored in the clear on the server, maybe a successful phishing attack was executed on the blog site, or perhaps the blog itself is owned by a nefarious villain who wants to sell these passwords to the highest bidder. In any case, the security of the bank site is compromised by the low-security site, because the user has a common password at both sites
Heres how password hashing works. Suppose our user gives the same password to both bank A and site B, either because site B is a phishing site or just a site with lower security than the bank. Rather than send these passwords directly to the remote server, we instead combine the users password and the domain name of the site into a secure hash that is used as the users domain specific password. When hashed with two different domain names with common password output of each hash function varies. hashed version. And we handle the common password problem by ensuring that the user has a different unique password everywhere they visit sites.
11
CONCLUSION
We have presented paper which helps in improving password authentication by making the password as domain specific. We can counter phishing problem and tackle common password problem. We will be able to generate strong passwords to make cracking of password difficult. Generate different passwords for different domains even when user password is common. Though this is a little bit time taking, it is worth using as it not only solves the common password problem but also protects from a much larger and dangerous phishing problem. Our concept to a greater extent puts a check to the attempts of the phisher to obtain the original password and also tricks him by giving away a false password.
BIBLIOGRAPHY
[1] Anti-phishing working group. http://www.antiphishing.org [2] Aaron Emigh, Radix Labs. www.antiphishing.org/Phishing-dhs-report.pdf [3] Markus Jakobsson. School of Informatics. www.informatics.indiana.edu/markus/papers/phishing_jakobsson.pdf [4] Neil Chou, Robert Ledsma, Yuka Teraguchi, Dan Boneh, John Mitchell. crypto.stanford.edu/SpoofGuard/webspoof.pdf [5] Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell. crypto.stanford.edu/PwdHash/pwdhash.pdf 12
13