Ulqinaku et al., 2021 - Google Patents

Is real-time phishing eliminated with {FIDO}? social engineering downgrade attacks against {FIDO} protocols

Ulqinaku et al., 2021

View PDF
Document ID
18293250088175751134
Author
Ulqinaku E
Assal H
Abdou A
Chiasson S
Capkun S
Publication year
Publication venue
30th USENIX Security Symposium (USENIX Security 21)

External Links

Snippet

Abstract FIDO's U2F is a web-authentication mechanism designed to mitigate real-time phishing—an attack that undermines multi-factor authentication by allowing an attacker to relay second-factor one-time tokens from the victim user to the legitimate website in real …
Continue reading at www.usenix.org (PDF) (other versions)

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRICAL DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRICAL DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRICAL DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRICAL DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/316User authentication by observing the pattern of computer usage, e.g. typical user behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords using one-time-passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRICAL DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Similar Documents

Publication Publication Date Title
Ulqinaku et al. Is real-time phishing eliminated with {FIDO}? social engineering downgrade attacks against {FIDO} protocols
Andress Foundations of information security: a straightforward introduction
Yao et al. Towards preventing QR code based attacks on android phone using security warnings
Jubur et al. Bypassing push-based second factor and passwordless authentication with human-indistinguishable notifications
Ndibwile et al. An empirical approach to phishing countermeasures through smart glasses and validation agents
Kuchhal et al. Evaluating the security posture of real-world fido2 deployments
Alseadoon The impact of users' characteristics on their ability to detect phishing emails
Mahdad et al. Breaching security keys without root: Fido2 deception attacks via overlays exploiting limited display authenticators
Jubur et al. Usability and security analysis of the compare-and-confirm method in mobile push-based two-factor authentication
Ma et al. The impact of secure transport protocols on phishing efficacy
Grassi et al. Draft nist special publication 800-63b digital identity guidelines
Braun et al. Phishsafe: leveraging modern javascript api's for transparent and robust protection
Tolbert et al. Exploring phone-based authentication vulnerabilities in single sign-on systems
Wojcicki Phishing attacks: preying on human psychology to beat the system and developing cybersecurity protections to reduce the risks
LADO Cybersecurity Essentials Protecting Your Digital Life, Data, and Privacy in a Threat-Driven World: Comprehensive Guide to Preventing Hacks, Phishing, Malware, and Identity Theft
He et al. Understanding mobile banking applications’ security risks through blog mining and the workflow technology
Hegt Analysis of current and future phishing attacks on internet banking services
Shibayama et al. Vulnerability exploiting SMS push notifications
Gautam et al. Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers
Mohammed Password-based Authentication in Computer Security: Why is it still there?
Khadilkar Securing Internet Banking Against Data Phishing Using Cryptography
Li A contingency framework to assure the user-centred quality and to support the design of anti-phishing software
Pandey et al. Loopholes of Two-Factor Authentication and the Rise of Multi-factor Authentication
Utakrit Security awareness by online banking users in Western Australian of phishing attacks
Mujinga Towards a Framework to Promote the Development of Secure and Usable Online Information Security Applications