Phishing, or web spoofing, is a growing problem: the Anti-Phishing Working Group (APWG) received almost 14,000 unique phishing
reports in August 2005, a 56% jump over the number of reports in December 2004 [3]. For financial institutions, phishing is
a particularly insidious problem, since trust forms the foundation for customer relationships, and phishing attacks undermine
confidence in an institution.
Phishing attacks succeed by exploiting a user’s inability to distinguish legitimate sites from spoofed sites. Most prior research
focuses on assisting the user in making this distinction; however, users must make the right security decision every time.
Unfortunately, humans are ill-suited for performing the security checks necessary for secure site identification, and a single
mistake may result in a total compromise of the user’s online account. Fundamentally, users should be authenticated using
information that they cannot readily reveal to malicious parties. Placing less reliance on the user during the authentication
process will enhance security and eliminate many forms of fraud.
We propose using a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts
Man-in-the-Middle attacks after setup, and protects a user’s account even in the presence of keyloggers and most forms of
spyware.We demonstrate the practicality of our system with a prototype implementation.
Keywords Identity Theft - Phishing and Social Engineering - Fraud Prevention - Secure Banking and Financial Web Services