Documente Academic
Documente Profesional
Documente Cultură
Introduction
Online presence of financial and business institutions Theft of confidential information leading to direct or indirect loss to the user Increase in the rate of thefts by hacking, phishing, spyware, etc.
PHISHING
Tricks the unsuspecting users Makes them reveal confidential information The phisher impersonates the user for his advantage
Types of Phishing
Deceptive Phishing The most common vector is email Phisher sends deceptive email in bulk that demands the recipient to click on a link The web site to which the user is directed collects the users confidential information
Phishing site
Username:
link
email
Password:
Database
Types of Phishing(contd.)
Malware attacks Key Loggers Session Hijackers Web Trojans Data Theft DNS-based attacks or Pharming
Users cannot reliably identify fake sites Captured password can be used at target site Major problem to financial institutions online presence
Bank A
pwdA
pwdA
Fake Site
Bank A
pwdA pwdB
=
pwdA
Site B
CASE STUDY
Source: Federal Trade Commission USA March 22 2004 Committed by Zachary Hill of Houston Hill sent out official looking e-mail notices warning American online and Pay pal users to update their account to avoid cancellation. At the fake site he collected sensitive information like SSN, back account numbers etc He duped 400 users out ,of at least $75,000
Password Hashing
Transmit the clear text password Password hashing Uses hashed password and domain Generates unique password for each site
NETWORK
R V E R
fig explaining the flow of the password in the network using password hashing
Implementing PwdHash
Two stage encryption process First stage based on clear text password Second stage involves the domain name PwdH(E(pwd),dom)Domain Specific Password
Structure of PwdHash
Characteristics
PwdHash (pwd, dom) pwd <= clear text password dom<= domain or site PwdHash(pwd,dom1) different from PwdHash(pwd,dom2)
pwdA pwdB
Site B =
Conclusion
We can counter phishing problem and tackle common password problem We will be able to generate strong passwords to make cracking of password difficult Generate different passwords for different domains even when user password is common.