Phishing Secrets: History, Effects, and Countermeasures

This paper presents the results of a study performed over phishingthreats and vulnerabilities present in nowadays authenticationenvironments. The main goal of this paper is to present oursolution, the anti-phishing model which can be applied to any webenvironment, and not just to e-banking or the financial sector,without limitations nor additional requirements. We startpresenting a brief history of phishing, common solutions, somestatistics about phishing attempts, social impact and monetarylosses and our patented anti-phishing model. Following is anexplanation about how different vulnerabilities have beenaddressed such as Man-In-The-Middle attacks, phishing, pharming,SQL injection, social engineering, format string attacks, bufferoverflow, brute force and many other vulnerabilities. Theproposed method has been the basis of a PhD thesis aimed atdefining a model for secure operation of an Internet Bankingenvironment, even in the presence of malware on the client side.The authentication model is based on a mutual multi-factorauthentication process where both entities must be authenticatedwith more than one authentication factor. The proposed model hasbeen designed to be easily applicable with minimum impact to thecurrent Internet banking systems. Its goal is to be resistant tothe nowadays too frequent phishing and pharming attacks, and alsoto more classical ones like social engineering orman-in-the-middle attacks. The key point of this model is theneed for multi-factor mutual authentication, instead of simplybasing the security on the digital certificate of the financialentity, since in many cases users are not able to discern thevalidity of a certificate, and may not even pay attention to it.Thanks to the rules defined in this proposal, the security levelof the Web Banking environment will increase and customers' trustwill be enhanced, thus allowing a more beneficial use of thisservice. The proposed model has been simulated in order todemonstrate its effectiveness and feasibility.