Researchers create new system to address phishing fraud

Sep 01, 2006

Carnegie Mellon University CyLab researchers have developed a new anti-phishing tool to protect users from online transactions at fraudulent Web sites.

A research team led by Electrical and Computer Engineering Professor Adrian Perrig has created the Phoolproof Phishing Prevention system that protects users against all network-based attacks, even when they make mistakes. The innovative security system provides strong mutual authentication between the Web server and the user by leveraging a mobile device, such as the user's cell phone or PDA.

The system is also designed to be easy for businesses to implement. Perrig, along with engineering Ph.D. student assistants Bryan Parno and Cynthia Kuo, has developed an anti-phishing system that makes the user's cell phone an active participant in the authentication process to securely communicate with a particular Internet site.

"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision, and protects them even if they manage to make a wrong decision," Perrig said. "Our new anti-phishing system, which operates with the standard secure Web protocol, ensures that the user accesses the Web site they intend to visit, instead of a phishing site posing as a legitimate business. The mobile device acts like an electronic assistant, storing a secure bookmark and a cryptographic key for each of the user's online accounts."

Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions, according to Parno. These special keys are more secure than one-time passwords because the user can't give them away. So, phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.

Since the user's cell phone performs cryptographic operations without revealing the secret key to the user's computer, the system also defends against keyloggers and other malicious software on the user's computer. Even if the user loses the cell phone, the keys remain secure.

Driving the need for this new tool is escalating consumer worries over online fraud -- a major barrier for a banking industry seeking to push consumers to do more of their banking online. More than 5 percent of Internet users say they have stopped banking online because of security concerns, up from 1 percent a year ago, according to industry reports.

Complicating the concern for more secure financial sites is a looming deadline for new security guidelines from the Federal Financial Institutions Examination Council (FFIEC), a group of government agencies that sets standards for financial institutions. Last year, the FFIEC set a Dec. 31 deadline for banks to add online security measures beyond just a user name and password. Failure to meet that deadline could result in fines, the FFIEC said.

Source: Carnegie Mellon University

Explore further: Fighting the next generation of cyberattacks

Related Stories

Mass beaching fuels 'unscientific' Japan quake fears

6 hours ago

The mass beaching of more than 150 melon-headed whales on Japan's shores has fuelled fears of a repeat of a seemingly unrelated event in the country—the devastating 2011 undersea earthquake that killed ...

Apple Watch's worldwide preview kicks off

Apr 10, 2015

Japanese tech fans got their first look Friday at the Apple Watch, with would-be early buyers queuing for a "trial fitting" in Tokyo's chic Omotesando area.

BitTorrent and the digital fingerprints we leave behind

Apr 10, 2015

The Dallas Buyers Club LLC v iiNet Limited piracy court case raises many questions about what sort of trail people leave when they use technology to make illegal copies of movies and other copyrighted mater ...

Smartphones boost US teens' connections

Apr 09, 2015

It's not just your imagination: most American teenagers are online or on their smartphones every day, and many are almost continually connected.

Apple Watch isn't the only gadget out this week

Apr 09, 2015

The public will have its first chance to see, touch and buy the Apple Watch on Friday, as Apple stores in the U.S. and eight markets abroad start previews and online orders commence.

Recommended for you

Fighting the next generation of cyberattacks

Apr 16, 2015

The next generation of cyberattacks will be more sophisticated, more difficult to detect and more capable of wreaking untold damage on the nation's computer systems.

Algorithm able to identify online trolls

Apr 14, 2015

A trio of researchers, two from Cornell the other from Stanford has developed a computer algorithm that is capable of identifying antisocial behavior as demonstrated in website comment sections. In their ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.