Title

Pwdip-Hash: A Lightweight Solution To Phishing And Pharming Attacks

Keywords

Design; Password authentication; Pharming; Phishing; Usability; Web security

Abstract

We present a novel lightweight password-based solution that safeguards users from Phishing and Pharming attacks. The proposed authentication relies on a hashed password, which is the hash value of the user-typed password and the authentication server's IP address. The solution rests on the fact that the server connected by a client using TCP connection cannot lie about its IP address. If a user is unknowingly directed to a malicious server (by a Phishing or a Pharming attack), the password obtained by the malicious server will be the hashed-password (tied to the malicious server's IP address) and will not be usable by the attacker at the real server thus defeating Phishing/Pharming attack. The proposed solution does not increase the number of exchanged authentication messages, nor does it need hardware tokens as required by some previously proposed solutions. The solution is also safe against denial-of-service attacks since no state is maintained on server side during the authentication process. We have prototyped our design both as a web browser's plug-in and as a standalone application. A comprehensive user study was conducted. The results show that around 95% of users think the proposed solution is easy to use and manage. Further, around 79% of users have shown willingness to use the application to protect their passwords. © 2010 IEEE.

Publication Date

11-24-2010

Publication Title

Proceedings - 2010 9th IEEE International Symposium on Network Computing and Applications, NCA 2010

Number of Pages

198-203

Document Type

Article; Proceedings Paper

Personal Identifier

scopus

DOI Link

https://doi.org/10.1109/NCA.2010.35

Socpus ID

78449311305 (Scopus)

Source API URL

https://api.elsevier.com/content/abstract/scopus_id/78449311305

This document is currently not available here.

Share

COinS