Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:50 AM
Connect Directly

Dual Authentication Tapped in Phish Fight

CMU anti-phishing prototype keeps users from giving away the store, but the catch is everyone has to deploy and use it

Researchers at Carnegie Mellon University have built a tool that protects users from phishing attacks -- even if they take the bait.

The Phoolproof Phishing Prevention tool provides two-way authentication between the user and the Web server via the user's mobile device: a cell phone or PDA, for instance. The Java-based tool operates atop SSL and uses a key pair that authenticates the user and the Websites visited.

That way, even if a user mistakenly tries to go to a phishing site posing as his bank, for example, the tool will prevent him from accessing it. And he won't be able to inadvertently give away or compromise his credentials, which are stored in the mobile device. The mobile device talks to the user's Web browser and only shows its authentication key to a legitimate Website.

CMU researchers say their prototype is more effective against phishing than existing anti-phishing tools. "A lot of prior approaches try to get the users to just recognize when they arrive at a phishing Website," says Bryan Parno, a graduate student and member of the project's research team at CMU's CyLab. "But the fundamental problem is users are still going to make the wrong decision."

Parno says studies show users still click through and enter their personal data even when their toolbar warns them about a site.

The catch: Both the user and Websites must deploy the Phoolproof Phishing Prevention technology for it to work, so consumers, businesses, and financial institutions, for instance, would all have to be in the loop.

"I like the idea of including another means to authenticate, and handsets are one alternative," says Dan Hubbard, vice president of research at Websense and a research fellow with the Anti-Phishing Working Group. However, "I'm not sure about the scaling of such a solution," he says.

Plus, it adds some complexity and costs for the organizations deploying it, Hubbard says. "And this wouldn't potentially stop plain-Jane social engineering asking a user for a username and password," either.

But CMU's Parno says all it would take is "small tweaks" to server configurations to store the user account key as well as some changes to the SSL setup. Websites would likely deploy it side by side with existing username and password authentication on their sites, for example, he says.

The CMU CyLab's prototype runs on a Nokia smart phone, but it could be used on any mobile device, Parno says. "When you want to log on to Amazon.com, for example, your mobile device communicates with your PC and launches your browser to make sure it's the right site. Then it authenticates on your behalf using the key, and you enter your user name and password," Parno explains.

The mobile device manages the keys, so the organization or user doesn't have to. "What's nice about this setup is the key never leaves your mobile device, and it never discloses it," Parno says, so there's no chance of giving away your identity to the wrong guy. And even if your cell is lost or stolen, your keys are useless without your username and password, he says.

CMU is working with some financial institutions and mobile phone companies that are interested in the tool, Parno says, but he can't name names. It's unclear yet just how CMU will distribute the tool -- or whether it will charge for the tool or make it freeware -- but the research team is working on making the prototype more robust and reliable in the meantime, he says.

Phishing experts say there's no single solution for killing phishing attacks available today. Peter Cassidy, secretary general of the APWG and director of research for Triache, says there are 130 different brands being phished each month, with small banks and credit card companies becoming major targets of these schemes as well. Cassidy notes that IM, interactive voice response systems, and blended media attacks are becoming more common with phishing attacks, too, so there are just too many attack venues for a single solution to protect. "Phishing is a many-splendid thing," he says.

"There's nothing in the near-term that's a silver bullet," Websense's Hubbard says. "One of the biggest gains we could get is mass education of the problem to help with the low-hanging fruit attacks -- just making sure users are aware of the mass amount of fraud that's happening online."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Anti-Phishing Working Group
  • Websense Inc. (Nasdaq: WBSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Inside the Ransomware Campaigns Targeting Exchange Servers
    Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
    Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-04-12
    This affects the package chrono-node before 2.2.4. It hangs on a date-like string with lots of embedded spaces.
    PUBLISHED: 2021-04-12
    INTELBRAS TELEFONE IP TIP200 version allows an attacker to obtain sensitive information through /cgi-bin/cgiServer.exx.
    PUBLISHED: 2021-04-12
    ** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered on D-Link DIR-802 A1 devices through 1.00b05. Universal Plug and Play (UPnP) is enabled by default on port 1900. An attacker can perform command injection by injecting a payload into the Search Target (ST) field of the SSDP M-SEARCH discover pa...
    PUBLISHED: 2021-04-11
    In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
    PUBLISHED: 2021-04-11
    In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...