Visual security is feeble for anti-phishing
#1



Chun-Ming Leung
Department of Information Engineering
The Chinese University of Hong Kong



ABSTRACT

Addressing recent online banking threats, the banking industry offers us several solutions for our safety online banking experience, however those solutions may not finally secure the users under the rising threats. The main challenges are how to enable safe online banking on a compromised host, and solving the general ignorance of security warning. CAPTCHA is primarily used to anti bot automated login, also, CAPTCHA base application can further provides secure PIN input against keylogger and mouse-logger for bank's customer. Assuming users are always unconscious of security warning in our model, we have designed a series of attacks and defenses under this interesting condition. In this work, we started by formalizing a security defense utilizing CAPCTCHA, its limitations are analyzed; Then, we attacked a local bank employing CAPTCHA solution, which we show how its can be bypassed from its vulnerability in its implementation. We further introduce control-relaying man-in-the-middle (CR-MITM) attack, a remote attack just like a remote terminal service that can capture and relay user inputs without local Trojan assistant, which is possible to defeat CAPTCHA phishing protection in the future. Under our model, we conclude, visual security defense alone is feeble for anti-phishing.



INTRODUCTION
Since the first phishing term was record at 1996 which was hunting for free AOL account, phishing is having a increasing tendency over the years. It then evolutes to financial fraud quickly, as the criminals are always aim for high yield. Luckily, with the pursuit of online banking, the banking industry is always motivated to play a leading role in fighting phishing threat. However, the reported loss to Internet Crime such as phishing has broken its record each year, which was up to US$239 Million lost in 2007. It is telling us that we are still looking for a better solution.
To confirm a destination it claim to be, the most trustworthy technique is the use of Digital Certificate, which the certification binding its public key together with an identity. The banking industry started to implement Digital Certificates in 2002, however, this trustful solution is always ignored by user . An incident of HSBC on 4th March 2008, that one of the world biggest bank has forgotten to renew its Digital Certificate, but it claimed its online banking for their customers still not affected. As we can imagine how many users ignored the warning of invalid Digital Certificate and had their online banking as usual in that day.

Notice that the Digital Certificates solution is a one-way authentication of the bank, customers are rarely have their own Digital Certificates. Obviously, the identity of customer is still threatened by identity theft (e.g. Keylogger on infected machine) as since the old age.
In 2005, One-Time-Password(OTP) based Two-factor authentication solution - Secure Token was delivered to bank customer to fight against keylogger and phishing. As the worldwide encouragement of Two-factor authentication in the same year, the phishing technique is also evolving, Secure Token was found vulnerable to Real-Time Man-In-The-Middle(RT-MITM) Attack[6] in 2005. For the fall of Secure Token by RT-MITM, we will describe it in the later section.

Beside of authenticate the user, there is also needed to authenticate the bank. Bank of America(BoA) tried to take a leading role in fighting phishing, In 2005, BoA firstly role out SiteKey to address the issue, which was originally invented by RSA lab. However, the SiteKey was doubted it can achieves its target, since it obviously risks suffer from MITM attack.

Recently, the idea of Human Interactive Proof(HIP) is used to fight against phishing . There is an CAPTCHA application used in online Banking[1], however, the application may not achieves its initial goal when facing the rising threat of phishing techniques such as RT-MITM.



for more:
http://ieeexplore.ieeeXplore/login.jsp?u...ision=-203




Reply
#2
Can you please provide the base paper and related papers for the topic "Visual security is feeble for anti-phishing"
Reply
#3
hey can u please send me the full report for the seminar topic :"CAPTCHA security for Phishing: Secure or not?"
kindly mail me as soon as possible.
Reply
#4
help meeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
Reply
#5
plz send me seminar report on topic CAPTCHA security for Phishing: Secure or not? on my mail pthengane[at]yahoo.com
Reply
#6
to get information about the topic "captcha security in phishing technology" full report ppt and related topic refer the page link bellow

http://studentbank.in/report-captcha-sec...e=threaded

http://studentbank.in/report-visual-secu...i-phishing
Reply

Important Note..!

If you are not satisfied with above reply ,..Please

ASK HERE

So that we will collect data for you and will made reply to the request....OR try below "QUICK REPLY" box to add a reply to this page
Popular Searches: what are the advantages of phishing, recent phishing attacks, anti phishing using phishing target discovery ppt, what are disadvantage of phishing, pros of phishing, disadvantages of phishing, abstract about phishing,

[-]
Quick Reply
Message
Type your reply to this message here.

Image Verification
Please enter the text contained within the image into the text box below it. This process is used to prevent automated spam bots.
Image Verification
(case insensitive)

Possibly Related Threads...
Thread Author Replies Views Last Post
  cryptography and network security full report computer science technology 21 31,172 31-05-2016, 12:17 PM
Last Post: dhanabhagya
  wireless internet security full report computer science technology 1 5,009 26-01-2012, 10:46 AM
Last Post: seminar addict
  Cryptography and Network Security seminar surveyer 5 4,581 08-08-2011, 09:59 AM
Last Post: seminar addict
  Picture Password(A Visual Login Technique for Mobile Devices ) seminar class 1 2,717 18-03-2011, 03:27 PM
Last Post: [email protected]
  Security Technologies seminar class 0 2,612 18-03-2011, 12:20 PM
Last Post: seminar class
  e-voting, security issue seminar class 0 1,825 19-02-2011, 02:24 PM
Last Post: seminar class
  DATA SECURITY IN LOCAL NETWORK USING DISTRIBUTED FIREWALL project report helper 0 1,957 08-10-2010, 11:18 AM
Last Post: project report helper
  Understanding Enterprise Security with Integration and Convergence computer science technology 0 1,234 24-01-2010, 03:23 PM
Last Post: computer science technology
  Digital Visual Interface computer science crazy 0 1,298 23-09-2008, 01:04 AM
Last Post: computer science crazy

Forum Jump: