PHISHPIN: AN INTEGRATED, IDENTITY-BASED ANTI-PHISHING APPROACH

Hicham Tout

Abstract

Phishing is a social engineering technique used to fraudulently acquire sensitive information from users by masquerading as a legitimate entity. One of the primary goals of phishing is to illegally carry fraudulent financial transactions on behalf of users. The two primary vulnerabilities exploited by phishers are: Inability of non-technical/unsophisticated users to always identify spoofed emails or Web sites; and the relative ease with which phishers masquerade as legitimate Web sites. This paper presents Phishpin, an approach that leverages the concepts of mutual authentication to require online entities to prove their identities. To this end, Phishpin builds on One-Time-Password, DNS, partial credentials sharing, & client filtering to prevent phishers from masquerading as legitimate online entities.

References

  1. Abu-Nimeh, S., Nappa, D., Wang, X., and Nair, S., 2007. A Comparison of Machine Learning Techniques for Phishing Detection. In Proceedings of the antiphishing working groups 2nd annual eCrime researchers summit, Pittsburgh, Pennsylvania, USA.
  2. Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., and Mitchell, J., 2004. Client-side defense against Webbased identity theft. In Proceedings of the 11th Network and Distributed System Security Symposium (NDSS'04), San Diego, California, USA.
  3. Downs, S. J., Holbrook, M., and Cranor, L. F., 2007. Behavioral Response to Phishing Risk. In proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit (eCrime'07), Pittsburgh, Pennsylvania, USA.
  4. FDIC, 2004. Putting an end to account-hijacking identity Theft. http://www.fdic.gov/consumers/consumer/ idtheftstudy/identity_theft.pdf.
  5. Fette, I., Sadeh, N., and Tomasic, A. 2006. Learning to detect phishing emails. Technical Report CMU-ISRI06-112, Institute for Software Research, Carnegie Mellon University. http://reportsarchive.adm.cs.cmu.edu/anon/isri2006/ab stracts/06-112.html.
  6. Kirda, E., and Kruegel, C. 2005. Protecting Users against Phishing Attacks. In proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC'05), Edinburgh, UK.
  7. McCall, T., 2007. Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks, Gartner, 2007. http://www.gartner.com/it/ page.jsp?id=565125.
  8. Phishtank. Phishing, 2008. http://www.phishtank.org.
  9. Raffetseder, T., Kirda, E., and Kruegel,C., 2007. Building Anti-Phishing Browser Plug-Ins: An Experience Report. In proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS'07), Minneapolis, Minnesota, USA, 2007.
  10. Wikipedia. Phishing, 2008. http://en.wikipedia.org/wiki/ Phishing.
  11. Wu, M. 2006. Fighting Phishing at the User Interface. http://groups.csail.mit.edu/uid/projects/phishing/minw u-thesis.pdf.
  12. Wu, M., Miller, R. C., Little, G. 2006. Web Wallet: Preventing Phishing Attacks by Revealing User Intentions. In proceedings of the Symposium On Usable Privacy and Security (SOUP'06), Pittsburgh, Pennsylvania, USA, 2006.
  13. Zhang, Y., Hong, J. I., and Cranor, L. F. 2007. Cantina: a Content-based Approach to Detecting Phishing Web Sites. In proceedings of the 16th International Conference on World Wide Web (WWW'07), Banff, Alberta, CA, 2007.
Download


Paper Citation


in Harvard Style

Tout H. (2009). PHISHPIN: AN INTEGRATED, IDENTITY-BASED ANTI-PHISHING APPROACH . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 369-374. DOI: 10.5220/0002222503690374


in Bibtex Style

@conference{secrypt09,
author={Hicham Tout},
title={PHISHPIN: AN INTEGRATED, IDENTITY-BASED ANTI-PHISHING APPROACH},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={369-374},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002222503690374},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - PHISHPIN: AN INTEGRATED, IDENTITY-BASED ANTI-PHISHING APPROACH
SN - 978-989-674-005-4
AU - Tout H.
PY - 2009
SP - 369
EP - 374
DO - 10.5220/0002222503690374