中央研究院  |  資訊科學研究所  |  多媒體網路與系統實驗室
Using One-Time Passwords to Prevent Password Phishing Attacks
(NOTE: Sheng-Wei Chen is also known as Kuan-Ta Chen.)

Abstract
Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users' account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users' passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naive way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset password? <p> In this paper, we propose a practical authentication service that eliminates the need for preset user passwords during the authentication process. By leveraging existing communication infrastructures on the Internet, i.e., the instant messaging service, it is only necessary to deploy the proposed scheme on the server side. We also show that the proposed solution can be seamlessly integrated with the OpenID service so that websites supporting OpenID benefit directly from the proposed solution. The proposed solution can be deployed incrementally, and it does not require client-side scripts, plug-ins, nor external devices. We believe that the number of phishing attacks could be reduced substantially if users were not required to provide their own passwords when accessing web pages.

Materials
Citation
Chun-Ying Huang, Shang-Ping Ma and Kuan-Ta Chen, "Using One-Time Passwords to Prevent Password Phishing Attacks," Journal of Network and Computer Applications, Vol. 34, No. 4, July, 2011.

BibTex
@ARTICLE{huang11:password_phishing,
  TITLE      = {Using One-Time Passwords to Prevent Password Phishing Attacks},
  AUTHOR     = {Chun-Ying Huang and Shang-Ping Ma and Kuan-Ta Chen},
  YEAR       = {2011},
  VOL        = {34},
  NO         = {4},
  MONTH      = {July},
  JOURNAL    = {Journal of Network and Computer Applications}
}