Today, two-factor authentication (2FA) is a widely implemented mechanism to counter phishing attacks. Although much effort has been investigated in 2FA, most 2FA systems are still vulnerable to carefully designed phishing attacks, and some even request special hardware, which limits their wide deployment. Recently, real-time phishing (RTP) has made the situation even worse because an adversary can effortlessly establish a phishing website replicating a target website without any background of the web page design technique. Traditional 2FA can be easily bypassed by such RTP attacks. In this work, we propose a novel 2FA system to counter RTP attacks. The main idea is to request a user to take a photo of the web browser with the domain name in the address bar as the 2nd authentication factor. The web server side extracts the domain name information based on Optical Character Recognition (OCR), and then determines if the user is visiting this website or a fake one, thus defeating the RTP attacks where an adversary must set up a fake website with a different domain. We prototyped our system and evaluated its performance in various environments. The results showed that PhotoAuth is an effective technique with good scalability. We also showed that compared to other 2FA systems, PhotoAuth has several advantages, especially no special hardware or software support is needed on the client side except a phone, making it readily deployable.
翻译:今天,两个因素的认证(2FA)是一个广泛实施的打击钓鱼攻击的机制。尽管在2FA中已经进行了大量调查,但大多数2FA系统仍然容易遭到精心设计的钓鱼攻击,有些甚至要求特殊硬件,从而限制了它们的广泛部署。最近,实时钓鱼(RTP)使情况更加糟糕,因为对手可以不费力地建立一个复制目标网站的网钓网站,而没有网页设计技术的任何背景。传统的网钓网站很容易被这种RTP攻击所绕过。在这项工作中,我们提议了一个新颖的2FA系统来对抗RTP的攻击。主要的想法是要求用户拍摄网络浏览器的照片,以地址栏中的域名作为第二认证因素。网络服务器方面提取了基于光学识别(OCRCR)的域名信息,然后确定用户是访问该网站还是假网站,从而挫败了RTP攻击,因为敌人必须随时设置一个不同域的假网站。我们设计了我们的系统,并评估了它在各种环境中的性能。主要的想法是请用户拍摄一个域名的域名照片,我们特别的软体显示,我们没有其他的硬件。
相关内容
微信扫码咨询专知VIP会员