Saimohan. K (08mse095) Anil.m (08mse122) Guide: Prof L.D.

Dhinesh Babu, SITE, VIT University

At a glance
What is Phishing?

Types of attacks
How do we prevent or avoid it? So, what should we do?

Architecture of the System

Modules Live demo

How is this better than the previous ones?

What is phishing?
Criminals use spoofed emails and fraudulent web sites

to trick people into giving up personal information, resulting in identity theft. These types of attacks and this technique is known as PHISING Primary aim is to obtain your User ID and Passwords of your E-Mail accounts and especially Bank Accounts Results in loss of Billions of Dollars, in Banking sectors and Online transactions, every year

Types of phishing
Website forgery
Link manipulation Pop-up windows

Phone phishing
Malware based phishing Search engine phishing

Website forgery

Link manipulation

Link manipulation (model)

Pop up windows
Phisher will also steal one's details through pop-up

windows especially when one is logging in the banking website. Method to prevent is to close the pop-up window, also the banking website, and inform the bank about the situation.

Phone phishing
Not all phishing attacks require a fake website.

Messages that claimed to be from a bank told users to dial a phone number regarding problems with their bank accounts. Once the phone number (owned by the phisher, and provided by a Voice over IP service) was dialed, prompts told users to enter their account numbers and PIN. Voice phishing sometimes uses fake caller-ID data to give the appearance that calls come from a trusted organization.

How do we prevent or avoid it?

Prevent it It is not possible
Todays attackers are very intelligent in breaking the

technology than those who develop it.. Avoid it This is something we can try to do.. Various tools and security mechanisms are in place to avoid people from falling to phishing attacks

How do we prevent or avoid it? (Cont..)

Let us see some tools and strategies deployed to avoid

phishing Here are some general ways of dealing with it: 1. You silently eliminate the threat 2. You warn the users about it 3. You can other wise train them not to fall for phish and how to detect them

How do we prevent or avoid it? (cont..)

Or else, we can deal with it, a bit professionally
That would be by going for Design and Security

Solutions Like: 1) Third Party Certifications Hierarchical and Distributed Models (Public Key Infrastructure PKI, Secure Socket Layers SSL and Transport Layer Security TLS)

How do we prevent or avoid it? (cont..)

2) Trustbar it was a Third party certification solution where website logos were certified 3) Direct Authentication It again had many techniques
Multi-Factor User Authentication Popularly known

as Something that you know (Passwords, etc) and Something that you are (Biometrics, etc) First of its kind was AOL Passcode: Issued RSA SecurID devices.

How do we prevent or avoid it? (cont..)

Server Authentication Using Shared Secrets First of its kind was: Passcode and verified by Visa

was used to verify the identity of a sever using a Pass phrase Server Authentication Using Self-Shared Secrets required the user to share a secret with his/her own device (e.g., web browser) rather than with the web server

How do we prevent or avoid it? (cont..)

YURL Petnames Every user had to register a

petname for the site they visit. If this petname gets displayed, the next time they visit this site, then its legitimate, or else suspicious. Problem was users chose simple petnames, easy to crack

How do we prevent or avoid it? (cont..)

Now lets checkout some ANTI-PHISHING TOOLS
eBay Toolbar - is a browser plug-in that eBay offered

to its customers to help keep track of auction sites. It has a feature, called AccountGuard, which monitors web pages that users visit and provided a warning in the form of a colored tab on the toolbar. The real catch here was, the tool took time to detect and notify a phish. By that time, the user had already submitted his password

How do we prevent or avoid it? (cont..)

SpoofGuard It calculated the probability of that site

being a spoof based on its links, images, etc. The pain here was that, it was supposed to have knowledge of all sites present and the learning process for the tool took long time. Spoofstick It tried to reveal phish by showing the domain names in which the site were registered. Phished sites either had IP address as domain name or closely matching name of a legitimate site. Opening of multiple windows was a trick to fool it.

How do we prevent or avoid it? (cont..)

BayeShield: Conversational Anti-Phishing

Interface It used a series of questions every time when you open a site to check whether it can be trusted. It was lengthy procedure and often very irritating iTrustPage Plug-in for Mozilla Firefox. Used external repositories to detect a phish and was highly user assisted. Its drawback? It could be used only on Firefox.

How do we prevent or avoid it? (cont..)

So, these were few strategies, tools, designs and

techniques already available to detect and report phishing, to some extent. Each of these techniques had a drawback. Few violate Limited human skills property, few are plug-ins that have to be downloaded and few are weak. But then, we can not achieve 100% security all the time.

So what do we do?
We learn from the past examples and come up with a new strategy. But we have to keep in mind few important things: 1. Phishing is an attack that targets USERS rather than the technology 2. Involve the user into the whole mechanism 3. Create a relationship of trust between the user and the server before authentication 4. Single password is not enough to authenticate 5. Authenticate that the User is who he/she claims to be and also authenticate the Server

So what we do?(cont..)
Since we have seen the

entire system. Lets have a look, at how the whole system and the user interacts with each other.. Here we have the Use Case diagram that shows us what we want to know..

Architecture of the System

Client/Server Architecture used by the system. This architecture shows both the functionality dedicated to the client as well as the server

Module 1 (register)

Now that we know how everything interacts with one another, we shall go a bit into the system to have a broader view about what are the modules and their responsibilities. This here is the User registration, which is the pilot module. Everything starts with this first and important step.

Module-1 (Register details)

This system is the

initiator of entire procedure before authentication. Here the user is to be registered with the particular web site by giving essential details. All the user details are stored.

Module-1 Backend Processing

All the details entered by the user is stored in the database and can be retrieved at any time. User should input all the required details

Module-2 User enters details

This is the next critical step, After registering with the website every user is given with a username and a password. In this module user enters the details. Here the site is provided with the required fields where the user name and the password are to be entered.

Module 2

Module 3 (user verifies details)

After entering valid details

user is taken into next step of authentication. In this step the user is self verified with his name. The IP address of the server where the website is hosted is displayed. If all the details are correct then he does the next step.

Module 3

Module 4 (Send SMS request)

If all the details

displayed are correct then the user sends a request for the secondary password. The page is provided with a link, where the user should click so as to get a password to mobile

Module 4 (Send SMS request)

Module 5 (generate random key)

After the users send an SMS

request random number is generated for that particular user and stored in the storage. Different random number is generated for different users. All these details are stored in the database

Module 5 (generate random key)

Module 6 (send random key to mobile)

The random number generated

is stored in the database. The details are checked after the SMS request and random number is sent to the particular mobile number given by the user during registration.

Module 6 (send random key to mobile)

Module 7 (enter random key)

After the request is sent

server sends an SMS through API with all the user details in it. This random key acts as a secondary password for the secondary authentication. User enters the random key and clicks on the submit button. After submitting the valid password user is taken into next page

Module 7 (enter random key)

Module 8 (secure session)

The random key entered by

the user is checked in the database. If the key matches then the user is taken to his page where transactions are to be done. Finally secure session is created.

Module 8 (secure session)

How is this better than previous ones?

1. The whole architecture here is designed over the client and server, minimizing the exchange of sensitive data over an unsecure network 2. Upon request from user, the original website is not shown. But a page is sent to perform secondary authentication. So as to create the relationship of trust to the user

How is this better than previous ones? (cont..)

3. The target of attacker is no longer the target, as we involve the user in the whole process 4. This does not require any plug-ins, certificates or any other software, which can reduce its effectiveness and efficiency 5. The simplest of the technology is used to deliver a hard blow to the attacker

Thank you