Researchers create new system to address phishing fraud

Sep 01, 2006

Carnegie Mellon University CyLab researchers have developed a new anti-phishing tool to protect users from online transactions at fraudulent Web sites.

A research team led by Electrical and Computer Engineering Professor Adrian Perrig has created the Phoolproof Phishing Prevention system that protects users against all network-based attacks, even when they make mistakes. The innovative security system provides strong mutual authentication between the Web server and the user by leveraging a mobile device, such as the user's cell phone or PDA.

The system is also designed to be easy for businesses to implement. Perrig, along with engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo, has developed an anti-phishing system that makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if the user loses the cell phone, the keys remain secure.

Driving the need for this new tool is escalating consumer worries over online fraud -- a major barrier for a banking industry seeking to push consumers to do more of their banking online. More than 5 percent of Internet users say they have stopped banking online because of security concerns, up from 1 percent a year ago, according to industry reports.

Complicating the concern for more secure financial sites is a looming deadline for new security guidelines from the Federal Financial Institutions Examination Council (FFIEC), a group of government agencies that sets standards for financial institutions. Last year, the FFIEC set a Dec. 31 deadline for banks to add online security measures beyond just a user name and password. Failure to meet that deadline could result in fines, the FFIEC said.

Source: Carnegie Mellon University

Explore further: Researchers build first working memcomputer prototype

Related Stories

Blacklist warnings spread on websites in North Korea

2 hours ago

North Korea, already one of the least-wired places in the world, appears to be cracking down on the use of the Internet by even the small number of foreigners who can access it with relative freedom by blacklisting ...

Collaboratively exploring virtual worlds

Jun 30, 2015

Today's students are accustomed to highly stimulating and interactive content, whether in the form of video games or mobile apps. As a result, they respond to a higher level of interactivity and engagement ...

New approach to online compatibility

Jun 30, 2015

Many of the online social networks match users with each other based on common keywords and assumed shared interests based on their activity. A new approach that could help users find new friends and contacts with a greater ...

Combining personalization and privacy for user data

Jun 29, 2015

Computer scientists and legal experts from Trinity College Dublin and SFI's ADAPT centre are working to marry two of cyberspace's greatest desires, by simultaneously providing enhanced options for user personalisation alongside ...

Recommended for you

Researchers build first working memcomputer prototype

20 hours ago

(Tech Xplore)—A combined team of researchers from the University of California and Politecnico di Torino in Italy has built, for the first time, a working memory-crunching computer (memcomputer) prototype. ...

EU open source software project receives green light

Jul 01, 2015

An open source software project involving the University of Southampton to extend the capacity of computational mathematics and interactive computing environments has received over seven million euros in EU funding.

Can computers be creative?

Jul 01, 2015

The EU-funded 'What-if Machine' (WHIM) project not only generates fictional storylines but also judges their potential usefulness and appeal. It represents a major advance in the field of computational creativity.

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.