English  |  正體中文  |  简体中文  |  Items with full text/Total items : 28611/40649
Visitors : 626487      Online Users : 84
RC Version 4.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Adv. Search

Please use this identifier to cite or link to this item: http://ntour.ntou.edu.tw:8080/ir/handle/987654321/27955

Title: Using one-time passwords to prevent password phishing attacks
Authors: Chun-Ying Huang;Shang-Pin Ma;Kuan-Ta Chen
Contributors: NTOU:Department of Computer Science and Engineering
Keywords: Anti-phishing;Identity management;In-band password delivery;One-time password;Web security
Date: 2011-07
Issue Date: 2011-10-21T02:34:41Z
Publisher: Journal of Network and Computer Applications
Abstract: Abstract:Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users' account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users' passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naive way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset password? In this paper, we propose a practical authentication service that eliminates the need for preset user passwords during the authentication process. By leveraging existing communication infrastructures on the Internet, i.e., the instant messaging service, it is only necessary to deploy the proposed scheme on the server side. We also show that the proposed solution can be seamlessly integrated with the OpenID service so that websites supporting OpenID benefit directly from the proposed solution. The proposed solution can be deployed incrementally, and it does not require client-side scripts, plug-ins, nor external devices. We believe that the number of phishing attacks could be reduced substantially if users were not required to provide their own passwords when accessing web pages.
Relation: 34(4), pp.1292-1301
URI: http://ntour.ntou.edu.tw/handle/987654321/27955
Appears in Collections:[資訊工程學系] 期刊論文

Files in This Item:

File Description SizeFormat

All items in NTOUR are protected by copyright, with all rights reserved.


著作權政策宣告: 本網站之內容為國立臺灣海洋大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,請合理使用本網站之內容,以尊重著作權人之權益。
網站維護: 海大圖資處 圖書系統組
DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback