THE WEB IDENTITY PREVENTION:
FACTORS TO CONSIDER IN THE
ANTI-PHISHING DESIGN
MITESH BARGADIYA**
PG Research Group (M.Tech IV Sem), IT-Department, RGPV Technocrats Institute of Technology (TIT), Bhopal (M.P.) INDIA
miteshbargadiya@gmail.com
Vijay Chaudhari, Mohd. Ilyas Khan, Bhupendra Verma PG Research Group, IT-Department, RGPV
Technocrats Institute of Technology (TIT), Bhopal (M.P.) INDIA
vijay_ashish@yahoo.com, mikbpl_2003@yahoo.co.in, bk_verma3@rediffmail.com
Abstract:
Phishing is the immorally deceitful process of attempting to acquire sensitive information such as user names, passwords and financial credentials by covered as a trustworthy entity in a communication. Phishing is normally starts with e-mail or bulk messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
We discuss a few factors that can be used to the web identity theft prevention such as evaluation of user psychology & educational efforts; source identification, URLs, certification authority, Mutual Authentication, Client & Server Side Security, recognition of phishing Messages etc.
Key words: - Phishing, Threats, Mutual Authentication, certification authority, PKI.
1. Introduction
Phishing problem has drawn a lot of attention in both academic and Industrial researcher’s areas. Phishing techniques are very simple in early stage phisher just download the web pages from the legitimate web sites or create web site look like the original. Evolving with the anti phishing technique, user are progressively aware of and alert to such scams. Many users learned to check the SSL icon and the domain name in the address bar. However, phisher are always trying to use more sophisticated activates to circumvent detection and user suspicion. Phisher are always trying their best to make the appearance of the web link and content of their web pages look similar to the original. Various more complicated and hard to detect phishing are used by phisher.By 1996, hacked accounts were called "phish", and by 1997 phish were actually being traded between hackers as a form of currency.
Some particulars of the Phishing Attack:-
Number of unique phishing email reports received by APWG from consumers in the year 2009: October - 33254, November - 30490 and December - 28897. [1].
Number of unique phishing web site detected in the year 2009: October - 46522, November - 44907 and December - 46190. [1].
Number of brand hijacked by phishing campaigns in year 2009: October - 356, November 306 - and December - 249 [1].
In the United Kingdom losses from web banking fraud—mostly from phishing—almost doubled to £23.2m in 2005, from £12.2m in 2004[2].
It should be noted that from last few years, Financial Services category remain on first position of most targeted industry sectors science APWG began tracking the proportions of phishing attack but in 2009 first two quarters ranked by Payment service category[1]. Phishing attacks now target users of online banking, payment services such as Pay Pal, and online e-commerce sites. Phishing attacks are growing quickly in number and sophistication.
There are a number of reasons to recognize what client will find genuine. First of all, it is crucial for service providers to know their susceptibility in order to evaluate their disclosure to risks and the related accountability. Then identify what the vulnerabilities are interpret into significant from where the attacks are probable to come; this allows for appropriate technical security dealings to be install to detect and defend against attacks of concern. It also allocate for a positive approach in which the predictable susceptibility are diminish by the assortment and deployment of proper email and web pattern, and the use of proper protocol of interface. In conclusion, there are explanations for why a considerate client is significant that are not straight associated to protection. Some mimic methods used by phishers, there is a risk that clients improperly categorize genuine as effort to attack them. Individual aware of possible consequence may lead conclusion that make easy communication. While theoretically educated, expert may make the oversight of consider that security procedures that succeed in defending them are enough to defend normal clients.
2. Types of Phishing Attacks
Various phishing attacks are discussed by many researchers [4] [5] [6] [7] here we are discussing some of them.
2.1 Deceptive phishing
In deceptive phishing, email message broadcast and ask for User id Conformation, update personal profile, new schemes, free joining etc., phisher promotes the user to visit the fake webpage and collect the personal information. [8]
2.2 Malware-based phishing
Malware-Based Phishing refers to con that malicious software on user’s computer. Malware can be attached with free downloaded software’s or may be email attachments. [9]
2. 3 DNS-Based phishing
Generally known as Pharming, phisher modify the domain name system so that a request for genuine URLs gives a counterfeit address and client redirect to a fake website.
2. 4 Content-injection phishing.
Content-Injection Phishing illustrates the condition where phisher substitute fraction of the content of a genuine website with bogus content intended to deceive the user.
2. 5 Man-in-the-Middle phishing
In these attacks phisher place itself between the user and the genuine website. They trace the communication and forward the information from the user to website and vice-versa.
2.6 Search engine phishing.
In Search Engine Phishing, phishers create websites and listed them legitimately with search engines [10]. When user search the website, search engine shows mimic webpage along with genuine pages and its might be possible that user gives personal information to phisher.
2.7 URL attacks
Redirected links - “Redirects” that convert an orientation to one URL into a different URL are commonly used in web programming. Open redirect can be used to forward to a capricious location; this can be used by phishers to present a legitimate-looking URL that will redirect to their site.
Obfuscated links – URLs can contain encoded characters that hide the meaning of the URL. This is commonly used in combination with other types of links, for example to obscure the target of a cloaked or redirected link.
Map links – A link can be limited within an HTML “image map” that refers to a legitimate-looking URL. However, the actual location to which a click within the image map directs the browser will not be displayed to the user. [10]
3. Factors to consider in Anti-Phishing Design
When we go through the user behavior, it is important to state that user generally believes at practices and give less importance to warning messages as well as security icons or symbols. Here discussing some common factors which may affect the design of Anti- Phishing system
3.1 Misleading E-mails
Such E-mails are have some common subject as “Congratulation, you are a winner of jackpot / Lottery” , “Particular financial organization want to conform user details for improved security ” , “Particular bank offers you some facility free of charge ” etc. and promote the user to click the given hyperlink. These mimic hyperlink are used to redirect the user towards fake website, the main motive behind such kind of mail is gather the personal information. If user pays attention on spelling, grammar, subject, appearance of email, signing authority, designation of authority and purpose of Email, they easily judge the legitimacy of the Email [7].
3.2 Source Identification
Generally users never pay attention on URL as well as E-mail address from which the communication takes place. Phisher provide mimic address or Domain name server spoofing, IP spoofing techniques to misguide and redirect the naive user and promote them to provide personal information.
3.3 Browser Vulnerability
Browser plays an important role in the client server communication. Many browsers provide the security features like Instant Web Site ID, Private Browsing, Anti-Malware, Anti-Virus Software, Anti-Phishing, Outdated Plug-In Detection, Customized Security Settings, Password Manager, and Add-ons as well as browser allows security toolbars to protect user communication. If user understands these security settings of respective browser and efficiently uses them then it’s hard to phisher to spoof the user.
3.4 Authentication Techniques:
An authentication technique is a procedure with the principle of verifies individual identity to communicate securely. There are many different authentication protocols available such as: Challenge-handshake authentication protocol, challenge-response authentication mechanism, Extensible Authentication Protocol (EAP), Host Identity Protocol (HIP), Kerberos, Password-authenticated key agreement protocols, Password Authentication Protocol, Protected Extensible Authentication Protocol, etc. above protocol have some limitation because many types of phishing attacks are present and now a days phishers are equipped with high computation capability and gives challenges to system designer.
3.5 Client Knowledge
3.6 Confidence on online services
The susceptibility to company may increase the jeopardy of loss of consumer confidence in online transactions, and also affect the other companies which are based on online [11].
3.7 Specially Designed Cookies
A cookie is a part of text that a web server can store on a user's hard disk. Cookies allow a web site to store information on a user's machine and later retrieve it. Cookies can store a wide range of information, including personal information such as user name, address, age, gender, date of birth, e-mail address, or telephone number etc. However, this information only be stored by user’s permission. Phisher may use such kind of cookies to steal personal information form user.
3.8 General Practice and Behavior
If users are not well educated then his/her informal training play an important role, user follow the statically given instruction over a long period of time. New security message and feature are useless in such cases; they just ignore the security warnings and continue to communication. The above behavior of user helps the phisher and gives the challenges to the system designers.
4. Management with Factors
We discuss some approaches that suppose to be practical to moderate phishing attacks; this is not a complete list of defenses, but rather, they was proposed to demonstrate some potentially approaches.
4.1 Public-key infrastructure:
The set of hardware, software, people, policies and procedure needed to create, manage, store, distribute and revoke digital certificate based on asymmetric cryptography or public key encryption [23]. In public-key cryptography, encryption and decryption are done by a mathematical related pair of keys [12]. One key is available to all and known as the public key, and the other key is kept private and known as private key. The noticeable function of a public key encryption system is confidentiality; used in electronic mail system [13] and by such applications where a signature is verified by many readers [14]. By using public-key cryptography we can perform encryption, decryption, authentication, non repudiation etc. for secure communication.
4.2 Digital Signature
A digital signature is an electronic mark that can be used to validate the characteristics of the correspondent of a communication, and guarantee that the unique content of the communication or document that has been sent is unbothered. Digital signatures are straightforwardly portable, cannot be replicate by someone else, and can be by design time-stamped. The facility to guarantee that the original signed communication arrived means that the correspondent cannot easily deny it afterward. Digital signature can be used with any kind of communication so that the beneficiary can be sure of the sender's distinctiveness and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real. [15]
4.3 Authentications
Authentication can be done by many ways, some of this present here to design anti-phishing system.
One-time passwords were developed to avoid the normal password’s drawback. There are two types of one-time passwords, a challenge-response password and a password list. The challenge-response password counters with a challenge value after receiving a user identifier. The response is then calculated from either the response value or select from a table based on the challenge. A one-time password list makes use of lists of passwords which are sequentially used by the person wanting to access a system [16].
Mutual authentication refers to client server verify each other in the approved manner. It refers to a client authenticating themselves to a server and that server verifies itself to the client in such an approach that mutually is secure of the others' uniqueness.
4.4 HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. Generally in Hyper Text Transport Protocol communication is considered less trustworthy and may be trapped by malicious person in the communication channel. In the HTTPS connection communication is considered more secure and browser display security lock icon at some fixed location such as address bar etc., and user may also check the SSL certificate which is issued after verify the information by trusted third party or certification authority. If web address starts with https it gives the confidence to the customer that they are using secure web site [18]
4.5 Education & Training to Client:
From the above discussion some remarkable fact comes into the knowledge, when we try to solve phishing problem by advanced technology and new protocols. The complexity on the system is increases and place high burden on the inexperienced computer user. To solve the phishing and other internet related crimes, the best way is to educate the user appropriately and this can be accomplished in simple manner. Before providing the login id, we must give formal training as well as security drill to the client followed by security test if client clear the security test then provides the user id otherwise repeat the process.
5. Client & Server Side Security
To achieve the security goals, Client and Server end must be well equipped. To achieve the security at client side some tools are available such as Spam filter, Anti Phishing Toolbars, Anti-malware programs etc.
Spam filter: A spam filter is a program that is used to distinguish bulk and unwanted email and avoid those mails from receiving to an inbox. More sophisticated filters, attempt to identify spam through suspicious word patterns or word frequency [19].
Anti-malware programs: Anti-malware software programs can be used for detection and removal of malware software onto a computer [20]. They can provide real time protection against malware.
Anti-Phishing Toolbars: Anti-phishing toolbars are used to determine the phishing attacks as well as provide security against phishing, to design such kind of toolbars various anti-phishing techniques like black and white list, URL checking methods, certificate checking & validation etc are used.[21]
As the server side security, Internet service provider and domain name owner must maintain the two types of list: Black list & white list. When user request to an URL then first it will check in list, if URL found in white list then allows the user to communicate with the site otherwise block the request [22].
From the above discussion we can make some common recommendation for general practices & behavior, such as- Never use hit and trail methods for searching the URL.
Always use the officially provided URL, Email address, Telephone \ Fax No. Always use the standard and secure search engines for internet surfing
Never give personal information on the Internet. Never click the URL presents in the Email.
Never replay and open the unknown, bogus or spoofed mail.
Always use genuine software, Pirated software may contain malicious program. Always pay attention to the security message or warning.
Organization must provide communication policies and security training to the customer before giving
them user id or password.
If you are victim of any internet related fraud then report to concern authority as soon as possible and make
system safe to others.
6. Conclusion
In the discussion some factors that come into the knowledge, first is “client education & behavior ”, which generally includes common behavior of user such as look at simple URLs, judgment through Spelling and design, Personalization, ignorance of security icons, lack of awareness and proper training etc. Second factor includes “anti-phishing approach” in which Public-key infrastructure, communication protocol, Digital Signature, Authentications, certificate authority, Education & Training to Client are discussed.
To validate information from an authenticated server, the client only performs simple operation to authenticate the server and vice-versa. Furthermore, using secure URLs, Third party authorization, Mutual Authentication, client & Server Side Security, recognition of phishing Messages etc, must places a high burden of effort on a phisher. Finally we must design such scheme which places a low endeavor on the client in terms of effort, memory, educational and time.
References
[1] http://www.antiphishing.org/reports/apwg_report_Q4 _ 2009.pdf [2] www.finextra.com/fullstory.asp?id=15013, Finextra March 7, 2006
[3] http://www.gartner.com/it/page.jsp?id=565125, McCall, Tom December 17, 2007
[4] M, Jakobsson and A. Tsow, “Making Takedown Difficult,” In Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, M. Jakobsson and S. A. Myers (editors). ISBN 0-471-78245-9, Hardcover, 739 pages,December 2006.
[5] Rachna Dhamija & J. D. Tygar Proceedings of the 2005 symposium on Usable privacy and security Pittsburgh, Pennsylvania, Pages: 77 – 88, Year of Publication: 2005, ISBN: 1-59593-178-3
[6] R. Dhamija, J.D. Tygar, M. Hearst, “Why Phishing Works,” In the Proceedings of the Conference on Human Factors in Computing Systems (CHI2006), 2006
[7] Markus Jakobsson, “The Human Factor in Phishing”, In Privacy & Security of Consumer Information ’07, http://www.informatics.indiana.edu/markus/papers/aci.pdf.
[8] Huajun Huang Junshan Tan Lingxi Liu “Countermeasure Techniques for Deceptive Phishing Attack” International Conference on New Trends in Information and Service Science. NISS '09. June-2009
[9] http://www.symantec.com/business/resources/articles/article.jsp?aid=phishers_targeting_the_government [10] www.antiphishing.org/Phishing-dhs-report.pdf
[11] http://www.antiphishing.org/reports/200603_NCL_Phishing_Report.pdf
[12] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644-654, November 1976.
[13] S. T. Kent. Internet privacy enhanced mail. Communications of the ACM, 36(8):48-60, August 1993.
[14] R. K. Smart. The X.509 extended file system. In Proceedings of the ISOC Symposium on Network and Distributed System Security, February 1994
[15] http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211953,00.html
[16] Schneider, B., "Applied cryptography Second Edition: protocols, algorithms and source code in C", John wiley & sons inc., 1996
[17] http://web.mit.edu/Kerberos/
[18] http://glowvirtual.com/faqs/definitions.html
[19] http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci931766,00.html [20] http://technet.microsoft.com/enus/library/dd632948.aspx
[21]www.antiphishing.org/reports/phishing-sfectf-report.pdf [22]The National Consumers League. Washington, DC, 2006
http://siteresources.worldbank.org/INTESEF/Publications/20878516/phishingreport.pdf
