Annual Computer Security Applications Conference 2011 Technical Track Papers

Full Program »

PhorceField: A Phish-Proof Password Ceremony

Many widely deployed phishing defense schemes, such as
SiteKey, use client-side secrets to help users confirm that
they are visiting the correct website before entering their
passwords. Unfortunately, studies have demonstrated
that up to 92% of users can be convinced to ignore
missing client-side secrets and enter their passwords into
phishing pages. However, since client-side secrets have
already achieved industry acceptance, they are an attractive building block for creating better phishing defenses. We present PhorceField, a phishing resistant
password ceremony that combines client-side secrets and
graphical passwords in a novel way that provides phishing resistance that neither achieves on its own. PhorceField enables users to login easily, but forces phishers to present victims with a fundamentally unfamiliar
and onerous user interface. Victims that try to use the
phisher’s interface to enter their password find the task
so difficult that they give up without revealing their
password. We have evaluated PhorceField’s phishing
resistance in a user study in which 21 participants used
PhorceField for a week and were then subjected to a
simulated phishing attack. On average, participants
were only able to reveal 20% of the entropy in their
password, and none of them revealed their entire password. This is a substantial improvement over previous
research that demonstrated that 92% of users would reveal their entire password to a phisher, even if important
security indicators were missing.

PhorceField is easy to deploy in sites that already use
client-side secrets for phishing defense – it requires no
client-side software and can be implemented entirely in
javascript. Banks and other high value websites could
therefore deploy it as a drop-in replacement for existing
defenses, or deploy it on an “opt-in” basis, as Google has
done with its phone-based “2-step verification” system.

Author(s):

Michael Hart    
SUNY Stony Brook
United States

Claude Castille    
SUNY Stony Brook
United States

Manoj Harpalani    
SUNY Stony Brook
United States

Jonathan Toohill    
SUNY Stony Brook
United States

Rob Johnson    
SUNY Stony Brook
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC