1st USENIX Workshop on Hot Topics in Security
Pp. 711 of the Proceedings
Password Rescue: A New Approach to Phishing Prevention
Dinei Florêncio and Cormac Herley,
A phishing attack exploits both the enormous scale of the web and the fact that users are often enormously confused about what they can trust. Scale allows the phisher to get many responses to his attack, even though the probability of any given user responding is low (it costs the phisher no more to send a million emails than to send one). The enormous confusion about trust allows the phisher make a copy of a bank web-site look as trustworthy to the victim as the original. Previous approaches to this problem have tried to solve the problem by preventing useful information leaking to the phisher; for example by alerting the user to suspicious or low reputation sites. Generally this is done at the client (typically in a browser plugin or add-on).
We propose a scheme that in several respects is a radical departure from previous approaches. First, we make no attempt to prevent information leakage. Rather, we try to detect and then rescue users from the consequences of bad trust decisions. Second, we harness scale against the attacker instead of trying to solve the problem at each client. Thus our scheme increases in efficacy with the scale of deployment: it offers very little protection if a small fraction of users participate, but makes phishing almost impossible as the deployment increases. Finally, we make clear that small trials of our system would prove little. The scale requirements of Password Rescue make it suitable for large deployment or not at all. HotSec seems like the best forum for such ideas.
- View the full text of this paper in PDF.
Until July 2007, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.