Phoolproof Phishing Prevention

  • Bryan Parno
  • Cynthia Kuo
  • Adrian Perrig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4107)


Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing reports in August 2005, a 56% jump over the number of reports in December 2004 [3]. For financial institutions, phishing is a particularly insidious problem, since trust forms the foundation for customer relationships, and phishing attacks undermine confidence in an institution.

Phishing attacks succeed by exploiting a user’s inability to distinguish legitimate sites from spoofed sites. Most prior research focuses on assisting the user in making this distinction; however, users must make the right security decision every time. Unfortunately, humans are ill-suited for performing the security checks necessary for secure site identification, and a single mistake may result in a total compromise of the user’s online account. Fundamentally, users should be authenticated using information that they cannot readily reveal to malicious parties. Placing less reliance on the user during the authentication process will enhance security and eliminate many forms of fraud.

We propose using a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts Man-in-the-Middle attacks after setup, and protects a user’s account even in the presence of keyloggers and most forms of spyware.We demonstrate the practicality of our system with a prototype implementation.


Identity Theft Phishing and Social Engineering Fraud Prevention Secure Banking and Financial Web Services 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  3. 3.
    Anti-Phishing Working Group. Phishing activity trends report.
  4. 4.
    Bluetooth SIG. Bluetooth Technology Benefits,
  5. 5.
    Chou, N., et al.: Client-side defense against web-based identity theft. In: NDSS (February 2004)Google Scholar
  6. 6.
    CitiBank. Virtual account numbers,
  7. 7.
    Clayton, R.: Who’d phish from the summit of kilimanjaro? In: Clayton, R. (ed.) Financial Cryptography, pp. 91–92 (2005)Google Scholar
  8. 8.
    Core Street. Spoofstick,
  9. 9.
    Dhamija, R., Tygar, J.D.: The battle against phishing: Dynamic security skins. In: ACM Symposium on Usable Security and Privacy SOUPS 2005) (July 2005)Google Scholar
  10. 10.
    Dhamija, R., Tygar, J.D.: Phish and HIPs: Human interactive proofs to detect phishing attacks. In: Human Interactive Proofs: Second International Workshop (HIP 2005) (2005)Google Scholar
  11. 11.
    Dierks, T., Allen, C.: The TLS protocol version 1.0. Internet Request for Comment RFC 2246, Internet Engineering Task Force, Proposed Standard (January 1999)Google Scholar
  12. 12.
  13. 13.
    FDIC. Authentication in an internet banking environment. Technical Report FIL-103-2005, Federal Deposit Insurance Corporation (October 2005)Google Scholar
  14. 14.
    Freier, A., Kariton, P., Kocher, P.: The SSL protocol: Version 3.0. Internet draft, Netscape Communications (1996)Google Scholar
  15. 15.
    Genkina, A., Friedman, A., Camp, J.: Net trust. In: Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop (June 2005)Google Scholar
  16. 16.
    Goth, G.: Phishing attacks rising, but dollar losses down. IEEE Security and Privacy 3(1), 8 (2005)CrossRefGoogle Scholar
  17. 17.
    Haller, N.: The S/Key one-time password system. In: Proceedings of the Symposium on Network and Distributed Systems Security, February 1994, pp. 151–157 (1994)Google Scholar
  18. 18.
    Herzberg, A., Gbara, A.: Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155 (2004)Google Scholar
  19. 19.
    Jakobsson, M.: Modeling and preventing phishing attacks. In: Financial Cryptography (2005)Google Scholar
  20. 20.
    Jakobsson, M., Young, A.: Distributed phishing attacks. In: Workshop on Resilient Financial Information Systems (March 2005)Google Scholar
  21. 21.
    Johanson, E.: The state of homograph attacks (February 2005),
  22. 22.
    Leyden, J.: Fax-back phishing scam targets paypal,
  23. 23.
    Leyden, J.: Spear phishers launch targeted attacks,
  24. 24.
    MacKenzie, P., Reiter, M.K.: Networked cryptographic devices resilient to capture. International Journal of Information Security 2(1), 1–20 (2003)CrossRefGoogle Scholar
  25. 25.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing is believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (May 2005)Google Scholar
  26. 26.
    Microsoft. Erroneous VeriSign-issued digital certificates pose spoofing hazard (2001),
  27. 27.
    Modadugu, N., Boneh, D., Kim, M.: Generating RSA keys on a handheld using an untrusted server. In: RSA Conference 2000 (January 2000)Google Scholar
  28. 28.
    Myers, S.: Delayed password disclosure. In: Trustworthy Interfaces for Passwords and Personal Information (TIPPI) Workshop (June 2005)Google Scholar
  29. 29. Phishing attack targets one-time passwords,
  30. 30.
    Passmark Security. Protecting your customers from phishing attacks: an introduction to passmarks (2005),
  31. 31.
    Roberts, P.F.: Spear phishing attack targets credit unions (December 2005),,1895,1902896,00.asp
  32. 32.
    Rohs, M., Gfeller, B.: Using camera-equipped mobile phones for interacting with real-world objects. In: Proceedings of Advances in Pervasive ComputingGoogle Scholar
  33. 33.
    Ross, B., et al.: Stronger password authentication using browser extensions. In: 14th USENIX Security Symposium (August 2005)Google Scholar
  34. 34.
    Security, R.S.A.: Protecting against phishing by implementing strong two-factor authentication (2004),
  35. 35.
    Seshadri, A., et al.: Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In: Proceedings of ACM Symposium on Operating Systems Principles (SOSP), October 2005, pp. 1–16 (2005)Google Scholar
  36. 36.
    Sophos. Do-it-yourself phishing kits found on the internet, reveals sophos,
  37. 37.
    Standish, D.: Telephonic youth,
  38. 38.
    The Legion of the Bouncy Castle. Bouncy Castle crypto APIs,
  39. 39.
  40. 40.
  41. 41.
    Wu, M., Garfinkel, S., Miller, R.: Users are not dependable - how to make security indicators to better protect them. In: Talk presented at the Workshop for Trustworthy Interfaces for Passwords and Personal Information (June 2005)Google Scholar
  42. 42.
    Yan, J., et al.: Password memorability and security: Empirical results. IEEE Security and Privacy 2(5), 25–31 (2004)CrossRefGoogle Scholar
  43. 43.
    Ye, E., Smith, S.: Trusted paths for browsers. In: Proceedings of the 11th USENIX Security Symposium (August 2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Bryan Parno
    • 1
  • Cynthia Kuo
    • 1
  • Adrian Perrig
    • 1
  1. 1.Carnegie Mellon University 

Personalised recommendations