Researchers create new system to address phishing fraud

Sep 01, 2006

Carnegie Mellon University CyLab researchers have developed a new anti-phishing tool to protect users from online transactions at fraudulent Web sites.

A research team led by Electrical and Computer Engineering Professor Adrian Perrig has created the Phoolproof Phishing Prevention system that protects users against all network-based attacks, even when they make mistakes. The innovative security system provides strong mutual authentication between the Web server and the user by leveraging a mobile device, such as the user's cell phone or PDA.

The system is also designed to be easy for businesses to implement. Perrig, along with engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo, has developed an anti-phishing system that makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if the user loses the cell phone, the keys remain secure.

Driving the need for this new tool is escalating consumer worries over online fraud -- a major barrier for a banking industry seeking to push consumers to do more of their banking online. More than 5 percent of Internet users say they have stopped banking online because of security concerns, up from 1 percent a year ago, according to industry reports.

Complicating the concern for more secure financial sites is a looming deadline for new security guidelines from the Federal Financial Institutions Examination Council (FFIEC), a group of government agencies that sets standards for financial institutions. Last year, the FFIEC set a Dec. 31 deadline for banks to add online security measures beyond just a user name and password. Failure to meet that deadline could result in fines, the FFIEC said.

Source: Carnegie Mellon University

Explore further: Powerful new software plug-in detects bugs in spreadsheets

add to favorites email to friend print save as pdf

Related Stories

Team infuses science into 'Minecraft' modification

Oct 24, 2014

The 3-D world of the popular "Minecraft" video game just became more entertaining, perilous and educational, thanks to a comprehensive code modification kit, "Polycraft World," created by University of Texas at Dallas professors, ...

Recommended for you

Researchers developing algorithms to detect fake reviews

Oct 21, 2014

Anyone who has conducted business online—from booking a hotel to buying a book to finding a new dentist or selling their wares—has come across reviews of said products and services. Chances are they've also encountered ...

User comments : 0