Effective Protection Against Phishing and Web Spoofing

Oppliger, Rolf; Gajek, Sebastian

doi:10.1007/11552055_4

Cited by 20 publications

(10 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This thwarts network sniffer attacks. Phishing is prevented by utilizing TLS in bilateral mode and verifying the certificates of both communicating parties [16].…”

Section: Privacy and Securitymentioning

confidence: 99%

A scalable and self-adapting notification framework for healthcare information systems

Okorodudu

Fegaras

Levine

2010

Univ Access Inf Soc

View full text Add to dashboard Cite

There has been a great interest in publish/subscribe systems in recent years. This interest, coupled with the pervasiveness of light-weight electronic devices, such as cellular phones and personal digital assistants, has opened a new arena in publish/subscribe networks. Currently, many broker overlay networks are static and rarely change in structure. Often, a network overlay structure is predefined or manually modified. This paper presents a dynamic broker network for disseminating critical lab and patient information in a Healthcare information system. The reported work builds upon previous network optimization research on ad hoc publish/subscribe networks. The underlying framework utilizes user-defined cost functions to satisfy quality of service constraints. In essence, the broker network optimization problem is reduced to an incremental search problem to generate low cost network configurations. Certain reliability issues are also addressed by providing a scheduling algorithm to selectively retransmit information and handle broker connectivity failures.

show abstract

“…This thwarts network sniffer attacks. Phishing is prevented by utilizing TLS in bilateral mode and verifying the certificates of both communicating parties [16].…”

Section: Privacy and Securitymentioning

confidence: 99%

A scalable and self-adapting notification framework for healthcare information systems

Okorodudu

Fegaras

Levine

2010

Univ Access Inf Soc

View full text Add to dashboard Cite

show abstract

“…These overlaps occur due to the use of different terminologies and are also due to the distinct research goals. For example, there have been studies of phishing attacks [14,21,29,7,6]; users' susceptibility to attacks [9,24]; factors exploited to allow an attack to be successful [27,8,12,25] and others. Among this wealth of studies, we found similar findings labelled in different ways.…”

Section: Overviewmentioning

confidence: 99%

Understanding the Weaknesses of Human-Protocol Interaction

Carlos

Price

2012

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. A significant number of attacks on systems are against the non-cryptographic components such as the human interaction with the system. In this paper, we propose a taxonomy of human-protocol interaction weaknesses. This set of weaknesses presents a harmonization of many findings from different research areas. In doing so we collate the most common human-interaction problems that can potentially result in successful attacks against protocol implementations. We then map these weaknesses onto a set of design recommendations aimed to minimize those weaknesses.

show abstract

“…Unfortunately, this is not the case and it is questionable whether it is possible at all. Note that an MITM can employ many tricks to give the user the impression of being connected to an origin server, for example, using visual spoofing, which is becoming increasingly popular (e.g., [15,16]). In the most extreme case, one may think of an MITM that is able to fully control the GUI of the user's browser.…”

Section: Related Workmentioning

confidence: 99%

“…Before we elaborate on challenge collision attacks, we note that we must make the assumption that the adversary cannot mount a visual spoofing attack (e.g., [15,16]). Otherwise, it is simpler (and hence more likely) that the adversary simply spoofs the challenge to be displayed by the browser to mount an MITM attack.…”

Section: Challenge Collision Attacksmentioning

confidence: 99%

Protecting TLS‐SA implementations for the challenge‐response feature of EMV‐CAP against challenge collision attacks

Oppliger¹,

Hauser²

2008

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) session-aware user authentication (TLS-SA) can be used to protect SSL/TLS-based e-commerce applications against man-in-the-middle (MITM) attacks. The main idea is to make the user authentication depend not only on the user's credentials, but also on state information related to the SSL/TLS session in which the credentials are transferred to the server. This, in turn, allows the server to detect inconsistencies caused by an MITM. There are many possibilities to implement TLS-SA and to make a user authentication scheme be SSL/TLS session-aware. In this paper, we take the challenge-response (C/R) feature of the Europay International, MasterCard, and Visa (EMV) Chip Authentication Program (CAP) as an example, and we argue that a TLS-SA implementation for this feature is appropriate but susceptible to challenge collision attacks. We then pick challenge collision attacks out as a central theme, and elaborate on a possible protection mechanism. Assuming that the adversary has no access to the browser's graphical user interface (GUI) and cannot retrieve the EMV-CAP challenge accordingly, the level of protection against challenge collision attacks can be improved considerably by non-deterministically derivating the challenge from information related to the SSL/TLS session and using encryption to turn a challenge into a response. If the adversary has read access to the browser's GUI, then this approach is counterproductive, and if the adversary even has write access, then the use of EMV-CAP is insecure and problematic in the first place. ‡ The SSL and TLS protocols are different but very similar. For the purpose of this paper, we do not distinguish between them and use the term SSL/TLS protocol(s) to refer to both of them.to secure electronic commerce (e-commerce) applications, such as Internet banking. In spite of the fact that many researchers have analyzed the security of the SSL/TLS protocol, relatively few shortcomings and

show abstract

Effective Protection Against Phishing and Web Spoofing

Cited by 20 publications

References 10 publications

A scalable and self-adapting notification framework for healthcare information systems

A scalable and self-adapting notification framework for healthcare information systems

Understanding the Weaknesses of Human-Protocol Interaction

Protecting TLS‐SA implementations for the challenge‐response feature of EMV‐CAP against challenge collision attacks

Contact Info

Product

Resources

About