Alice, What Did You Do Last Time? Fighting Phishing Using Past Activity Tests

Nikiforakis, Nikos; Makridakis, Andreas; Αθανασόπουλος, Ηλίας; Markatos, Evangelos P.

doi:10.1007/978-0-387-85555-4_7

Cited by 3 publications

(3 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The user either needs to store and maintain a particular bookmark for every protected website [1], remember to activate protection before entering her credentials [39], install a plugin [47] or a browser toolbar and regularly verify that it is not spoofed [42], use a dedicated browser [22] or a second device that must be trustworthy but also able to establish a direct connection with the browser [34], or remember every past action with respect to this account [31], while some approaches are not implemented or practically evaluated [16].…”

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

“…The main goal is to not submit the password in plaintext to an unauthenticated remote server but mutually authenticate client and server [16,42,47], utilize a zero-knowledge protocol to avoid transmitting confidential information [22], check for user-specific knowledge that changes over time [31], use trusted second devices to establish an authenticated session [34], generate site-specific passwords from a seed [39], or use bookmarks as a secure entry point [1].…”

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

See 1 more Smart Citation

PhishSafe

Braun

Johns²,

Koestler

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

The term "phishing" describes a class of social engineering attacks on authentication systems, that aim to steal the victim's authentication credential, e.g., the username and password. The severity of phishing is recognized since the mid-1990's and a considerable amount of attention has been devoted to the topic. However, currently deployed or proposed countermeasures are either incomplete, cumbersome for the user, or incompatible with standard browser technology. In this paper, we show how modern JavaScript API's can be utilized to build PhishSafe, a robust authentication scheme, that is immune against phishing attacks, easily deployable using the current browser generation, and requires little change in the end-user's interaction with the application. We evaluate the implementation and find that it is applicable to web applications with low efforts and causes no tangible overhead.

show abstract

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

Section: Sophisticated Authentication Protocolsmentioning

confidence: 99%

PhishSafe

Braun

Johns²,

Koestler

et al. 2014

Proceedings of the 4th ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Several studies have been conducted, trying to identify why users fall victim to phishing attacks [5,7] and various solutions have been suggested, such as the use of per-site "pageskinning" [4], security toolbars [23], images [2,17], trusted password windows [16], use of past-activity knowledge [11] and automatic analysis of the content within a page [24]. Unfortunately, the problem is hard to address in a completely automatic way, and thus, the current deployed antiphishing mechanisms in popular browsers are all black-list based [15].…”

Section: Related Workmentioning

confidence: 99%

TabShots

Ryck

Nikiforakis

Desmet

et al. 2013

Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security

View full text Add to dashboard Cite

As the web grows larger and larger and as the browser becomes the vehicle-of-choice for delivering many applications of daily use, the security and privacy of web users is under constant attack. Phishing is as prevalent as ever, with antiphishing communities reporting thousands of new phishing campaigns each month. In 2010, tabnabbing, a variation of phishing, was introduced. In a tabnabbing attack, an innocuous-looking page, opened in a browser tab, disguises itself as the login page of a popular web application, when the user's focus is on a different tab. The attack exploits the trust of users for already opened pages and the user habit of long-lived browser tabs.To combat this recent attack, we propose TabShots. Tab-Shots is a browser extension that helps browsers and users to remember what each tab looked like, before the user changed tabs. Our system compares the appearance of each tab and highlights the parts that were changed, allowing the user to distinguish between legitimate changes and malicious masquerading. Using an experimental evaluation on the most popular sites of the Internet, we show that TabShots has no impact on 78% of these sites, and very little on another 19%. Thereby, TabShots effectively protects users against tabnabbing attacks without affecting their browsing habits and without breaking legitimate popular sites.

show abstract