Abstract
In this paper, we propose a new class of Human Interactive Proofs (HIPs) that allow a human to distinguish one computer from another. Unlike traditional HIPs, where the computer issues a challenge to the user over a network, in this case, the user issues a challenge to the computer. This type of HIP can be used to detect phishing attacks, in which websites are spoofed in order to trick users into revealing private information.
We define five properties of an ideal HIP to detect phishing attacks. Using these properties, we evaluate existing and proposed anti-phishing schemes to discover their benefits and weaknesses.
We review a new anti-phishing proposal, Dynamic Security Skins (DSS), and show that it meets the HIP criteria. Our goal is to allow a remote server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. In our scheme, the web server presents its proof in the form of an image that is unique for each user and each transaction. To authenticate the server, the user can visually verify that the image presented by the server matches a reference image presented by the browser.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
First Workshop on Human Interactive Proofs, http://www2.parc.com/istl/groups/did/HIP2002/ (2002)
Litan, A.: Phishing Attack Victims Likely Targets for Identity Theft. Gartner Research FT-22-8873 (2004)
Loftesness, S.: Responding to Phishing Attacks, http://www.glenbrook.com/opinions/phishing.htm (2004)
Dhamija, R., Tygar, J.D.: Phishing: A Model Problem for Usability in Privacy and Security (to Appear)
Netcraft: SSLs Credibility as Phishing Defense is Tested, http://news.netcraft.com/archives/2004/03/08/ssls_credibility_as_phishing_defense_is_tested.html (2004)
Microsoft: Erroneous Verisign Issued Digital Certificates Pose Spoofing Hazard. Technical Report Microsoft Security Bulletin MS01-017 (2001)
Herzberg, A., Gbara, A.: Protecting (even) Naive Web Users, or: Preventing Spoofing and Establishing Credentials of Websites. Technical Report Draft of July 2004 (2004)
Pretty Good Privacy, www.pgp.com/
Verisign: Verisign Secured Seal Program, http://www.verisign.com/products-services/security-services/secured-seal/
TRUSTe, http://www.truste.org/
RSA Security: America Online and RSA Security Launch AOL PassCode Premium Service http://www.rsasecurity.com/press_release.asp?doc_id=5033 (2004)
RSA Security: Protecting Against Phishing by Implementing Strong Two- Factor Authentication, https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf (2004)
Pullar-Strecker, T.: NZ bank adds security online. The Sydney Morning Herald (November 8, 2004)
Passmark Security: Protecting Your Customers from Phishing Attacks: an Introduction to Passmarks, http://www.passmarksecurity.com/
Visa USA: Verified by Visa, https://usa.visa.com/personal/security/vbv/
Haber, R.N.: How We Remember What We See. Scientific American 222, 104–112 (1970)
Zishuang, Y., Smith, S.: Trusted Paths for Browsers. In: Proceedings of the 11th USENIX Security Symposium, IEEE Computer Society Press, Los Alamitos (2002)
Waterken Inc.: Waterken YURL Trust Management for Humans, http://www.waterken.com/dev/YURL/Name/ (2004)
eBay: eBay Toolbar, http://pages.ebay.com/ebay_toolbar/
Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client Side Defense Against Web-based Identity Theft, http://crypto.stanford.edu/SpoofGuard/
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: A Browser Plug-in Solution to the Unique Password Problem. Technical Report Stanford-SecLab-TR-2005-1 (2005)
Core Street: SpoofStick, www.corestreet.com/spoofstick/
Wu, T.: The Secure Remote Password Protocol. In: Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, San Diego, CA (1998)
Perrig, A., Song, D.: Hash Visualization: A New Technique to Improve Real World Security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)
Dhamija, R.: Hash Visualization in User Authentication. In: Proceedings of the Computer Human Interaction Conference Short Papers (2000)
Dhamija, R., Perrig, A.: Déjà Vu: A User Study. Using Images for Authentication. In: Proceedings of the 9th USENIX Security Symposium (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dhamija, R., Tygar, J.D. (2005). Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks. In: Baird, H.S., Lopresti, D.P. (eds) Human Interactive Proofs. HIP 2005. Lecture Notes in Computer Science, vol 3517. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11427896_9
Download citation
DOI: https://doi.org/10.1007/11427896_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26001-1
Online ISBN: 978-3-540-32117-0
eBook Packages: Computer ScienceComputer Science (R0)