Escaping the phishing net

De OWASP
Saltar a: navegación, buscar

Abstract: Phishing attacks have posed serious challenges by exposing the technical deficiencies of internet technologies and its business models. Phishing attacks are difficult to tackle because the problem lies outside the scope of secure application development. Phishing attacks don’t require a web application to be vulnerable as such. It basically exploits the ignorance on part of the end user to carry out successful exploits. End users don’t have a standard mechanism to verify the authenticity of the server application, which is the fundamental cause of phishing. Most of the solutions designed to counter phishing attacks are not aimed at addressing this fundamental flaw and hence those would fail to provide a fool proof solution even though they may succeed in minimizing the number of successful attacks. In this paper I shall explore various phishing attack techniques used by crackers, some of the countermeasures proposed and implemented and their drawbacks. I shall then suggest a new model that is aimed at curing the cause of phishing attacks and not just its symptoms. I shall also take a look at the usability issues that would result from the adoption of the new model.