Insecure Real-World Authentication Protocols (or Why Phishing Is So Profitable)

  • Richard Clayton
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4631)


The users of online banking systems are currently at risk from “phishing” scams. Confidence tricksters persuade them to visit fraudulent websites and use their authentication credentials to steal from the victims’ accounts. We analyse the authentication protocols used for online banking, find that they are entirely inadequate, and consider how to improve systems design so as to discourage attacks.


Authentication Protocol Security Protocol Secure Channel Online Banking Secure Socket Layer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dierks, T., Allen, C.: The TLS Protocol, Version 1.0, IETF, RFC2246 (January 1999)Google Scholar
  2. 2.
    DrSpamcake: Get on aol from off aol. (January 2, 1996),$
  3. 3.
    Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol Version 3.0. IETF Internet Draft (November 18, 1996) draft-freier-ssl-version3-02.txt
  4. 4.
    Harriman, D.D.: Password Fishing on Public Terminals. In: Computer Fraud and Security Bulletin, pp. 12–14. Elsevier Science Publishers, New York (1990)Google Scholar
  5. 5.
    Lee, L.: AOL scam warning. bit.listserv.christia (September 29, 1995)
  6. 6.
    MailFrontier Inc: MailFrontier to Unveil Phishing IQ Test II at Inbox East. Press Release (November 11, 2004)
  7. 7.
    RSA Security Inc: RSA SecurID Authentication.

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Richard Clayton
    • 1
  1. 1.University of Cambridge, Computer Laboratory, William Gates Building, 15 JJ Thomson Avenue, Cambridge CB3 0FDUnited Kingdom

Personalised recommendations