Phoolproof Phishing Prevention

Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing reports in August 2005, a 56% jump over the number of reports in December 2004. For financial institutions, phishing is a particularly insidious problem, since trust forms the foundation for customer relationships, and phishing attacks undermine confidence in an institution. Phishing attacks succeed by exploiting a user’s inability to distinguish legitimate sites from spoofed sites. Prior research focuses on assisting the user in making this distinction, but they require the user to make the right security decision every time. A single mistake results in a total compromise of the user’s online account. Unfortunately, humans are ill-suited for performing the security checks necessary for secure authentication. Fundamentally, users should be authenticated using information that they cannot readily reveal to malicious parties. Our system eliminates reliance on perfect user behavior and protects a user’s account even in the presence of keyloggers and other forms of spyware. We demonstrate the practicality of our system with a working prototype. Ultimately, placing less reliance on the user during the authentication process will enhance security and eliminate many forms of fraud.