Ulqinaku et al., 2021 - Google Patents
Is real-time phishing eliminated with {FIDO}? social engineering downgrade attacks against {FIDO} protocolsUlqinaku et al., 2021
View PDF- Document ID
- 18293250088175751134
- Author
- Ulqinaku E
- Assal H
- Abdou A
- Chiasson S
- Capkun S
- Publication year
- Publication venue
- 30th USENIX Security Symposium (USENIX Security 21)
External Links
Snippet
Abstract FIDO's U2F is a web-authentication mechanism designed to mitigate real-time phishing—an attack that undermines multi-factor authentication by allowing an attacker to relay second-factor one-time tokens from the victim user to the legitimate website in real …
- 230000000694 effects 0 abstract description 5
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/83—Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/316—User authentication by observing the pattern of computer usage, e.g. typical user behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
- H04L63/083—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords using one-time-passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING; COUNTING
- G06F—ELECTRICAL DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ulqinaku et al. | Is real-time phishing eliminated with {FIDO}? social engineering downgrade attacks against {FIDO} protocols | |
| Andress | Foundations of information security: a straightforward introduction | |
| Yao et al. | Towards preventing QR code based attacks on android phone using security warnings | |
| Jubur et al. | Bypassing push-based second factor and passwordless authentication with human-indistinguishable notifications | |
| Ndibwile et al. | An empirical approach to phishing countermeasures through smart glasses and validation agents | |
| Kuchhal et al. | Evaluating the security posture of real-world fido2 deployments | |
| Alseadoon | The impact of users' characteristics on their ability to detect phishing emails | |
| Mahdad et al. | Breaching security keys without root: Fido2 deception attacks via overlays exploiting limited display authenticators | |
| Jubur et al. | Usability and security analysis of the compare-and-confirm method in mobile push-based two-factor authentication | |
| Ma et al. | The impact of secure transport protocols on phishing efficacy | |
| Grassi et al. | Draft nist special publication 800-63b digital identity guidelines | |
| Braun et al. | Phishsafe: leveraging modern javascript api's for transparent and robust protection | |
| Tolbert et al. | Exploring phone-based authentication vulnerabilities in single sign-on systems | |
| Wojcicki | Phishing attacks: preying on human psychology to beat the system and developing cybersecurity protections to reduce the risks | |
| LADO | Cybersecurity Essentials Protecting Your Digital Life, Data, and Privacy in a Threat-Driven World: Comprehensive Guide to Preventing Hacks, Phishing, Malware, and Identity Theft | |
| He et al. | Understanding mobile banking applications’ security risks through blog mining and the workflow technology | |
| Hegt | Analysis of current and future phishing attacks on internet banking services | |
| Shibayama et al. | Vulnerability exploiting SMS push notifications | |
| Gautam et al. | Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers | |
| Mohammed | Password-based Authentication in Computer Security: Why is it still there? | |
| Khadilkar | Securing Internet Banking Against Data Phishing Using Cryptography | |
| Li | A contingency framework to assure the user-centred quality and to support the design of anti-phishing software | |
| Pandey et al. | Loopholes of Two-Factor Authentication and the Rise of Multi-factor Authentication | |
| Utakrit | Security awareness by online banking users in Western Australian of phishing attacks | |
| Mujinga | Towards a Framework to Promote the Development of Secure and Usable Online Information Security Applications |