Using one-time passwords to prevent password phishing attacks

Chun-Ying Huang*, Shang Pin Ma, Kuan Ta Chen

*Corresponding author for this work

Research output: Contribution to journalArticle

39 Scopus citations

Abstract

Phishing is now a serious threat to the security of Internet users confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naïve way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset password? In this paper, we propose a practical authentication service that eliminates the need for preset user passwords during the authentication process. By leveraging existing communication infrastructures on the Internet, i.e., the instant messaging service, it is only necessary to deploy the proposed scheme on the server side. We also show that the proposed solution can be seamlessly integrated with the OpenID service so that websites supporting OpenID benefit directly from the proposed solution. The proposed solution can be deployed incrementally, and it does not require client-side scripts, plug-ins, nor external devices. We believe that the number of phishing attacks could be reduced substantially if users were not required to provide their own passwords when accessing web pages.

Original languageEnglish
Pages (from-to)1292-1301
Number of pages10
JournalJournal of Network and Computer Applications
Volume34
Issue number4
DOIs
StatePublished - 1 Jul 2011

Keywords

  • Anti-phishing
  • Identity management
  • In-band password delivery
  • One-time password
  • Web security

Fingerprint Dive into the research topics of 'Using one-time passwords to prevent password phishing attacks'. Together they form a unique fingerprint.

  • Cite this