Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:50 AM
Connect Directly

Dual Authentication Tapped in Phish Fight

CMU anti-phishing prototype keeps users from giving away the store, but the catch is everyone has to deploy and use it

Researchers at Carnegie Mellon University have built a tool that protects users from phishing attacks -- even if they take the bait.

The Phoolproof Phishing Prevention tool provides two-way authentication between the user and the Web server via the user's mobile device: a cell phone or PDA, for instance. The Java-based tool operates atop SSL and uses a key pair that authenticates the user and the Websites visited.

That way, even if a user mistakenly tries to go to a phishing site posing as his bank, for example, the tool will prevent him from accessing it. And he won't be able to inadvertently give away or compromise his credentials, which are stored in the mobile device. The mobile device talks to the user's Web browser and only shows its authentication key to a legitimate Website.

CMU researchers say their prototype is more effective against phishing than existing anti-phishing tools. "A lot of prior approaches try to get the users to just recognize when they arrive at a phishing Website," says Bryan Parno, a graduate student and member of the project's research team at CMU's CyLab. "But the fundamental problem is users are still going to make the wrong decision."

Parno says studies show users still click through and enter their personal data even when their toolbar warns them about a site.

The catch: Both the user and Websites must deploy the Phoolproof Phishing Prevention technology for it to work, so consumers, businesses, and financial institutions, for instance, would all have to be in the loop.

"I like the idea of including another means to authenticate, and handsets are one alternative," says Dan Hubbard, vice president of research at Websense and a research fellow with the Anti-Phishing Working Group. However, "I'm not sure about the scaling of such a solution," he says.

Plus, it adds some complexity and costs for the organizations deploying it, Hubbard says. "And this wouldn't potentially stop plain-Jane social engineering asking a user for a username and password," either.

But CMU's Parno says all it would take is "small tweaks" to server configurations to store the user account key as well as some changes to the SSL setup. Websites would likely deploy it side by side with existing username and password authentication on their sites, for example, he says.

The CMU CyLab's prototype runs on a Nokia smart phone, but it could be used on any mobile device, Parno says. "When you want to log on to Amazon.com, for example, your mobile device communicates with your PC and launches your browser to make sure it's the right site. Then it authenticates on your behalf using the key, and you enter your user name and password," Parno explains.

The mobile device manages the keys, so the organization or user doesn't have to. "What's nice about this setup is the key never leaves your mobile device, and it never discloses it," Parno says, so there's no chance of giving away your identity to the wrong guy. And even if your cell is lost or stolen, your keys are useless without your username and password, he says.

CMU is working with some financial institutions and mobile phone companies that are interested in the tool, Parno says, but he can't name names. It's unclear yet just how CMU will distribute the tool -- or whether it will charge for the tool or make it freeware -- but the research team is working on making the prototype more robust and reliable in the meantime, he says.

Phishing experts say there's no single solution for killing phishing attacks available today. Peter Cassidy, secretary general of the APWG and director of research for Triache, says there are 130 different brands being phished each month, with small banks and credit card companies becoming major targets of these schemes as well. Cassidy notes that IM, interactive voice response systems, and blended media attacks are becoming more common with phishing attacks, too, so there are just too many attack venues for a single solution to protect. "Phishing is a many-splendid thing," he says.

"There's nothing in the near-term that's a silver bullet," Websense's Hubbard says. "One of the biggest gains we could get is mass education of the problem to help with the low-hanging fruit attacks -- just making sure users are aware of the mass amount of fraud that's happening online."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Anti-Phishing Working Group
  • Websense Inc. (Nasdaq: WBSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How SolarWinds Busted Up Our Assumptions About Code Signing
    Dr. Jethro Beekman, Technical Director,  3/3/2021
    'ObliqueRAT' Now Hides Behind Images on Compromised Websites
    Jai Vijayan, Contributing Writer,  3/2/2021
    Attackers Turn Struggling Software Projects Into Trojan Horses
    Robert Lemos, Contributing Writer,  2/26/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: George has not accepted that the technology age has come to an end.
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-03-07
    An issue was discovered in MantisBT before 2.24.5. It associates a unique cookie string with each user. This string is not reset upon logout (i.e., the user session is still considered valid and active), allowing an attacker who somehow gained access to a user's cookie to login as them.
    PUBLISHED: 2021-03-07
    This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
    PUBLISHED: 2021-03-07
    An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
    PUBLISHED: 2021-03-07
    An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
    PUBLISHED: 2021-03-07
    An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...