Skip to main content
SpringerLink
Log in

Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks

  • Conference paper
Human Interactive Proofs (HIP 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3517))

Included in the following conference series:

Abstract

In this paper, we propose a new class of Human Interactive Proofs (HIPs) that allow a human to distinguish one computer from another. Unlike traditional HIPs, where the computer issues a challenge to the user over a network, in this case, the user issues a challenge to the computer. This type of HIP can be used to detect phishing attacks, in which websites are spoofed in order to trick users into revealing private information.

We define five properties of an ideal HIP to detect phishing attacks. Using these properties, we evaluate existing and proposed anti-phishing schemes to discover their benefits and weaknesses.

We review a new anti-phishing proposal, Dynamic Security Skins (DSS), and show that it meets the HIP criteria. Our goal is to allow a remote server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. In our scheme, the web server presents its proof in the form of an image that is unique for each user and each transaction. To authenticate the server, the user can visually verify that the image presented by the server matches a reference image presented by the browser.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. First Workshop on Human Interactive Proofs, http://www2.parc.com/istl/groups/did/HIP2002/ (2002)

  2. Litan, A.: Phishing Attack Victims Likely Targets for Identity Theft. Gartner Research FT-22-8873 (2004)

    Google Scholar 

  3. Loftesness, S.: Responding to Phishing Attacks, http://www.glenbrook.com/opinions/phishing.htm (2004)

  4. Dhamija, R., Tygar, J.D.: Phishing: A Model Problem for Usability in Privacy and Security (to Appear)

    Google Scholar 

  5. Netcraft: SSLs Credibility as Phishing Defense is Tested, http://news.netcraft.com/archives/2004/03/08/ssls_credibility_as_phishing_defense_is_tested.html (2004)

  6. Microsoft: Erroneous Verisign Issued Digital Certificates Pose Spoofing Hazard. Technical Report Microsoft Security Bulletin MS01-017 (2001)

    Google Scholar 

  7. Herzberg, A., Gbara, A.: Protecting (even) Naive Web Users, or: Preventing Spoofing and Establishing Credentials of Websites. Technical Report Draft of July 2004 (2004)

    Google Scholar 

  8. Pretty Good Privacy, www.pgp.com/

  9. Verisign: Verisign Secured Seal Program, http://www.verisign.com/products-services/security-services/secured-seal/

  10. TRUSTe, http://www.truste.org/

  11. RSA Security: America Online and RSA Security Launch AOL PassCode Premium Service http://www.rsasecurity.com/press_release.asp?doc_id=5033 (2004)

  12. RSA Security: Protecting Against Phishing by Implementing Strong Two- Factor Authentication, https://www.rsasecurity.com/products/securid/whitepapers/PHISH_WP_0904.pdf (2004)

  13. Pullar-Strecker, T.: NZ bank adds security online. The Sydney Morning Herald (November 8, 2004)

    Google Scholar 

  14. Passmark Security: Protecting Your Customers from Phishing Attacks: an Introduction to Passmarks, http://www.passmarksecurity.com/

  15. Visa USA: Verified by Visa, https://usa.visa.com/personal/security/vbv/

  16. Haber, R.N.: How We Remember What We See. Scientific American 222, 104–112 (1970)

    Article  Google Scholar 

  17. Zishuang, Y., Smith, S.: Trusted Paths for Browsers. In: Proceedings of the 11th USENIX Security Symposium, IEEE Computer Society Press, Los Alamitos (2002)

    Google Scholar 

  18. Waterken Inc.: Waterken YURL Trust Management for Humans, http://www.waterken.com/dev/YURL/Name/ (2004)

  19. eBay: eBay Toolbar, http://pages.ebay.com/ebay_toolbar/

  20. Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client Side Defense Against Web-based Identity Theft, http://crypto.stanford.edu/SpoofGuard/

  21. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: A Browser Plug-in Solution to the Unique Password Problem. Technical Report Stanford-SecLab-TR-2005-1 (2005)

    Google Scholar 

  22. Core Street: SpoofStick, www.corestreet.com/spoofstick/

  23. Wu, T.: The Secure Remote Password Protocol. In: Proceedings of the 1998 Internet Society Network and Distributed System Security Symposium, San Diego, CA (1998)

    Google Scholar 

  24. Perrig, A., Song, D.: Hash Visualization: A New Technique to Improve Real World Security. In: International Workshop on Cryptographic Techniques and E-Commerce (1999)

    Google Scholar 

  25. Dhamija, R.: Hash Visualization in User Authentication. In: Proceedings of the Computer Human Interaction Conference Short Papers (2000)

    Google Scholar 

  26. Dhamija, R., Perrig, A.: Déjà Vu: A User Study. Using Images for Authentication. In: Proceedings of the 9th USENIX Security Symposium (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Berkeley, Berkeley, CA, 94720, USA

    Rachna Dhamija & J. D. Tygar

Authors
  1. Rachna Dhamija
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. J. D. Tygar
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science & Engineering Dept, Lehigh University, 19 Memorial Dr West, 18017, Bethlehem, PA, USA

    Henry S. Baird

  2. Lehigh University, 18015, Bethlehem, PA, USA

    Daniel P. Lopresti

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dhamija, R., Tygar, J.D. (2005). Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks. In: Baird, H.S., Lopresti, D.P. (eds) Human Interactive Proofs. HIP 2005. Lecture Notes in Computer Science, vol 3517. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11427896_9

Download citation

  • DOI: https://doi.org/10.1007/11427896_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26001-1

  • Online ISBN: 978-3-540-32117-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation