final review - compatibility mode

8/2/2019 Final Review - Compatibility Mode

1/42

Saimohan. K (08mse095)

Anil.m (08mse122)

Guide: Prof L.D. Dhinesh Babu,

SITE, VIT University


2/42

At a glance

What is Phishing?

Types of attacks

How do we prevent or avoid it?

So, what should we do?

Architecture of the System

Modules

Live demo How is this better than the previous ones?


3/42

What is phishing?Criminals use spoofed emails and fraudulent web sites

to trick people into giving up personal information,resulting in identity theft. These types of attacks andthis technique is known as PHISING

Primary aim is to obtain your User ID and Passwordsof your E-Mail accounts and especially Bank

AccountsResults in loss of Billions of Dollars, in Banking sectors

and Online transactions, every year


4/42

Types of phishing

Website forgery

Link manipulation

Pop-up windows Phone phishing

Malware based phishing

Search engine phishing


5/42

Website forgery


6/42

Link manipulation


7/42

Link manipulation (model)


8/42

Pop up windows

Phisher will also steal one's details through pop-up

windows especially when one is logging in the bankingwebsite. Method to prevent is to close the pop-upwindow, also the banking website, and inform thebank about the situation.


9/42

Phone phishing

Not all phishing attacks require a fake website.Messages that claimed to be from a bank told users todial a phone number regarding problems with their

bank accounts. Once the phone number (owned bythe phisher, and provided by a Voice over IP service)

was dialed, prompts told users to enter their accountnumbers and PIN. Voice phishing sometimes uses fake

caller-ID data to give the appearance that calls comefrom a trusted organization.


10/42

How do we prevent or avoid it? Prevent it It is not possible

Todays attackers are very intelligent in breaking the

technology than those who develop it..Avoid it This is something we can try to do..

Various tools and security mechanisms are in place toavoid people from falling to phishing attacks


11/42


(Cont..) Let us see some tools and strategies deployed to avoid

phishing

Here are some general ways of dealing with it:1. You silently eliminate the threat

2. You warn the users about it

3. You can other wise train them not to fall for phish and

how to detect them


12/42


(cont..) Or else, we can deal with it, a bit professionally

That would be by going for Design and Security

SolutionsLike:

1) Third Party Certifications Hierarchical andDistributed Models (Public Key Infrastructure PKI,

Secure Socket Layers SSL and Transport LayerSecurity TLS)


13/42


(cont..)2) Trustbar it was a Third party certification solution

wherewebsite logos were certified

3) Direct Authentication It again had many techniquesMulti-Factor User Authentication Popularly known

as Something that you know (Passwords, etc) andSomething that you are (Biometrics, etc)

First of its kind wasAOL Passcode: Issued RSA SecurIDdevices.


14/42


(cont..)

Server Authentication Using Shared Secrets

First of its kind was: Passcode and verified by Visawas used to verify the identity of a sever using a Passphrase

Server Authentication Using Self-Shared Secrets -required the user to share a secret with his/her own

device (e.g., web browser) rather than with the webserver


15/42


(cont..)

YURL Petnames Every user had to register a

petname for the site they visit. If this petname getsdisplayed, the next time they visit this site, then itslegitimate, or else suspicious. Problemwas userschose simple petnames, easy to crack


16/42


(cont..)Now lets checkout someANTI-PHISHING TOOLS

eBay Toolbar - is a browser plug-in that eBay offered

to its customers to help keep track of auction sites. Ithas a feature, called AccountGuard, which monitorsweb pages that users visit and provided a warning inthe form of a colored tab on the toolbar. The real catchhere was, the tool took time to detect and notify aphish. By that time, the user had already submitted hispassword


17/42


(cont..)SpoofGuard It calculated the probability of that site

being a spoof based on its links, images, etc. Thepainhere was that, it was supposed to have knowledge of allsites present and the learning process for the tool tooklong time.

Spoofstick It tried to reveal phish by showing thedomain names in which the site were registered.Phished sites either had IP address as domain name orclosely matching name of a legitimate site. Opening ofmultiple windows was a trick to fool it.


18/42


(cont..)BayeShield: Conversational Anti-Phishing

Interface It used a series of questions every timewhen you open a site to check whether it can betrusted. It was lengthy procedure and often veryirritating

iTrustPage Plug-in for Mozilla Firefox. Usedexternal repositories to detect a phish and was highlyuser assisted. Its drawback? It could be used only onFirefox.


19/42


(cont..) So, these were few strategies, tools, designs and

techniques already available to detect and reportphishing, to some extent.

Each of these techniques had a drawback. Few violateLimited human skills property, few are plug-ins thathave to be downloaded and few are weak. But then, wecan not achieve 100% security all the time.


20/42

So what do we do?

We learn from the past examples and come up with anew strategy. But we have to keep in mind fewimportant things:

1. Phishing is an attack that targets USERS rather thanthe technology

2. Involve the user into the whole mechanism

3. Create a relationship of trust between the user and theserver before authentication

4. Single password is not enough to authenticate

5. Authenticate that the User is who he/she claims to be

and also authenticate the Server


21/42

So what we do?(cont..)

Since we have seen theentire system. Lets havea look, at how the wholesystem and the user

interacts with eachother.. Here we have theUse Case diagram thatshows us what we wantto know..


22/42

Architecture of the

SystemClient/Server Architectureused by the system. Thisarchitecture shows boththe functionalitydedicated to the client aswell as the server


23/42

Module 1

(register)

Now that we know how everything interacts with one another, weshall go a bit into the system to have a broader view about whatare the modules and their responsibilities. This here is the User

registration, which is the pilot module. Everything starts withthis first and important step.


24/42

Module-1 (Register details)This system is theinitiator of entireprocedure beforeauthentication. Here theuser is to be registered

with the particular website by giving essentialdetails.

All the user details arestored.


25/42

Module-1 Backend Processing

All the details entered by theuser is stored in the databaseand can be retrieved at anytime.

User should input all therequired details


26/42

Module-2 User enters details

This is the next criticalstep, After registering

with the website everyuser is given with ausername and apassword. In thismodule user enters thedetails. Here the site isprovided with therequired fields where

the user name and thepassword are to beentered.


27/42

Module 2


28/42

Module 3 (user verifies details) After entering valid details

user is taken into next step ofauthentication. In this stepthe user is self verified with

his name. The IP address ofthe server where the websiteis hosted is displayed. If allthe details are correct thenhe does the next step.


29/42

Module 3


30/42

Module 4 (Send SMS request)

If all the detailsdisplayed are correctthen the user sends a

request for thesecondary password.The page is provided

with a link, where the

user should click so asto get a password tomobile


31/42

Module 4 (Send SMS request)


32/42

Module 5 (generate random key)

After the users send an SMSrequest random number isgenerated for that particularuser and stored in the storage.

Different random number isgenerated for different users. Allthese details are stored in thedatabase


33/42

Module 5 (generate random key)


34/42

Module 6 (send random key to

mobile)

The random number generatedis stored in the database. Thedetails are checked after theSMS request and random

number is sent to the particularmobile number given by the userduring registration.


35/42

Module 6 (send random key to

mobile)


36/42

Module 7 (enter random key)

After the request is sentserver sends an SMS through

API with all the user detailsin it. This random key acts as

a secondary password for thesecondary authentication.User enters the random keyand clicks on the submitbutton. After submitting the

valid password user is takeninto next page


37/42

Module 7 (enter random key)


38/42

Module 8 (secure session)

The random key entered bythe user is checked in thedatabase. If the key matchesthen the user is taken to his

page where transactions areto be done. Finally securesession is created.


39/42

Module 8 (secure session)


40/42

How is this better than previous

ones?1. The whole architecture here is designed over the client

and server, minimizing the exchange of sensitive dataover an unsecure network

2. Upon request from user, the original website is notshown. But a page is sent to perform secondaryauthentication. So as to create the relationship of trustto the user


41/42

How is this better than previous

ones? (cont..)3. The target of attacker is no longer the target, as we

involve the user in the whole process

4. This does not require any plug-ins, certificates or anyother software, which can reduce its effectiveness andefficiency

5. The simplest of the technology is used to deliver a

hard blow to the attacker


42/42

Thank you

final review - compatibility mode

Documents