Site Archive (Complete)
ABOUT US | CONTACT | ADVERTISE | SUBSCRIBE | SOURCE CODE | CURRENT PRINT ISSUE | NEWSLETTERS | RESOURCES | BLOGS | PODCASTS | CAREERS
Security Blog: Anti-Phishing System Developed
Security
Blog Home | Department Home | More Blogs |
Blog Home | Department Home | More Blogs |
EYE ON SECURITY

The World of Secure Development.

by Kevin Carlson
LOCK IT UP

... Keys to Better Security

by Neil Rerup
September 01, 2006

Anti-Phishing System Developed

Researchers at Carnegie Mellon University's CyLab have come up with an anti-phishing tool to protect users from online transactions at fraudulent Web sites.

The research team, led by Adrian Perrig, has created the Phoolproof Phishing Prevention system that protects users against network-based attacks, even when they make mistakes. The security system provides strong mutual authentication between the Web server and users by leveraging a mobile device, such as the user's cell phone or PDA.

The system designed by Perrig and engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if users lose their cell phone, the keys remain secure.

Posted by Jon Erickson at 09:24 AM  Permalink



 
INFO-LINK


| All Feeds
© 2008 Think Services, Privacy Policy, Terms of Service, United Business Media LLC
Comments about the web site: webmaster@ddj.com
Related Sites: DotNetJunkies, SD Expo, SqlJunkies