Anti-Phishing Models: Main Challenges

Phishing is a form of online identity theft in which the attacker attempts to fraudulently retrieve a legitimate user\u27s account information, logon credentials or identity information in general. The compromised information is then used for withdrawing money online, taking out cash advances, or making purchases of goods and services on the accounts. Various solutions have been proposed and developed in response to phishing. As phishing is a business problem, the solutions target both non-technical and technical areas. This paper investigates the current anti-phishing solutions and critically reviews their usage, security weaknesses and their effectiveness. The analysis of these models points to a conclusion that technology alone will not completely stop phishing. What is necessary is a multi-tiered, organised approach: user awareness, technical and non-technical solutions should work together

Anti-Phishing Models: Main Challenges

Phishing is a form of online identity theft in which the attacker attempts to fraudulently retrieve a legitimate user\u27s account information, logon credentials or identity information in general. The compromised information is then used for withdrawing money online, taking out cash advances, or making purchases of goods and services on the accounts. Various solutions have been proposed and developed in response to phishing. As phishing is a business problem, the solutions target both non-technical and technical areas. This paper investigates the current anti-phishing solutions and critically reviews their usage, security weaknesses and their effectiveness. The analysis of these models points to a conclusion that technology alone will not completely stop phishing. What is necessary is a multi-tiered, organised approach: user awareness, technical and non-technical solutions should work together

Password-Based Authentication and Phishing

The most common mechanism for online authenti- cation is the username-password. Majority of e- commerce applications are designed to provide pass- word authentication via an HTML form, with the assumption that the user needs to determine if it is safe to enter the password. In order to avoid phish- ing attacks, the user is expected to distinguish be- tween a phishing and a genuine website by checking the browser security indicators. Alternative authentication models suggest using images for authentication, introducing variations of Password Authenticated Key Exchange (PAKE) pro- tocols into TLS, using digital objects as passwords. Some authentication models suggest sending one- time password (OTP) tokens out-of-band to the user. Most computer users have too many passwords and keep forgetting them. Common issue for all authen- tication models is how to restore a legitimate user access to their account without authentication, i.e. password reset. In this paper, we investigate current password based authentication models and review their impact on phishing. We investigate two categories of issues 1) deployment obstacles for the \u27stronger\u27 authenti- cation models, and 2) security issues created by the number of passwords user needs to memorize

Model for analysing Anti-Phishing Authentication Ceremonies

Phishing takes advantage of the way humans interact with computers or interpret messages; and also that many online authentication protocols place a disproportional burden on human abilities. A security ceremony is an extension of the concept of network security protocol and includes user interface and human-protocol interaction. It is one way of extending the reach of current methods for social, technical and contextual analysis of security protocols to include humans. In this paper, we propose a Human Factors in Anti-Phishing Authentication Ceremonies (APAC) Framework for investigating phishing attacks in authentication ceremonies, which builds on The Human-in-the-Loop Security Framework of communication processing. We show how to apply the APAC framework to model human-protocol behaviour. The resulting Model for Analysing APAC correlates the framework components and examines how the authentication tasks required to be performed by humans influence their decision-making and consequently their phishing detection