SECURITY AGAINST DECEPTIVE PHISHING

etc.Introduction    Online presence of financial and business institutions Theft of confidential information leading to direct or indirect loss to the user Increase in the rate of thefts by hacking. spyware. phishing. .

PHISHING    Tricks the unsuspecting users Makes them reveal confidential information The phisher impersonates the user for his advantage .

Types of Phishing Deceptive Phishing  The most common vector is email  Phisher sends deceptive email in bulk that demands the recipient to click on a link  The web site to which the user is directed collects the user’s confidential information .

Phishing site Username: link email Password: Database phisher Fig explaining illustration of Deceptive phishing .

Types of Phishing(contd….) Malware attacks  Key Loggers  Session Hijackers  Web Trojans  Data Theft DNS-based attacks or Pharming .

Password Phishing Problem    Users cannot reliably identify fake sites Captured password can be used at target site Major problem to financial institutions’ online presence .

Password Phishing Problem Bank A pwdA pwdA Fake Site .

Common Password Problem Bank A pwdA pwdB = pwdA Site B  Users have the same password for many sites .

back account numbers etc He duped 400 users out .of at least $75.CASE STUDY       Source: Federal Trade Commission USA March 22 2004 Committed by Zachary Hill of Houston Hill sent out official looking e-mail notices warning American online and Pay pal users to update their account to avoid cancellation.000 . At the fake site he collected sensitive information like SSN.

Password Hashing     Transmit the clear text password Password hashing Uses hashed password and domain Generates unique password for each site .

S E PASSWORD Pwd .dom PWDHASH Hashed password NETWORK R V E R fig explaining the flow of the password in the network using password hashing .

dom)Domain Specific Password  .Implementing PwdHash Two stage encryption process  First stage based on clear text password  Second stage involves the domain name PwdH(E(pwd).

Structure of PwdHash .

Characteristics     PwdHash (pwd.dom2) .dom1) different from PwdHash(pwd. dom) pwd <= clear text password dom<= domain or site PwdHash(pwd.

pwdA pwdB Site B = .

Conclusion    We can counter phishing problem and tackle common password problem We will be able to generate strong passwords to make cracking of password difficult Generate different passwords for different domains even when user password is common. .