DOI QR코드

DOI QR Code

Behavioural Analysis of Password Authentication and Countermeasure to Phishing Attacks - from User Experience and HCI Perspectives

사용자의 패스워드 인증 행위 분석 및 피싱 공격시 대응방안 - 사용자 경험 및 HCI의 관점에서

  • Received : 2014.01.31
  • Accepted : 2014.04.09
  • Published : 2014.06.30

Abstract

User authentication based on ID and PW has been widely used. As the Internet has become a growing part of people' lives, input times of ID/PW have been increased for a variety of services. People have already learned enough to perform the authentication procedure and have entered ID/PW while ones are unconscious. This is referred to as the adaptive unconscious, a set of mental processes incoming information and producing judgements and behaviors without our conscious awareness and within a second. Most people have joined up for various websites with a small number of IDs/PWs, because they relied on their memory for managing IDs/PWs. Human memory decays with the passing of time and knowledges in human memory tend to interfere with each other. For that reason, there is the potential for people to enter an invalid ID/PW. Therefore, these characteristics above mentioned regarding of user authentication with ID/PW can lead to human vulnerabilities: people use a few PWs for various websites, manage IDs/PWs depending on their memory, and enter ID/PW unconsciously. Based on the vulnerability of human factors, a variety of information leakage attacks such as phishing and pharming attacks have been increasing exponentially. In the past, information leakage attacks exploited vulnerabilities of hardware, operating system, software and so on. However, most of current attacks tend to exploit the vulnerabilities of the human factors. These attacks based on the vulnerability of the human factor are called social-engineering attacks. Recently, malicious social-engineering technique such as phishing and pharming attacks is one of the biggest security problems. Phishing is an attack of attempting to obtain valuable information such as ID/PW and pharming is an attack intended to steal personal data by redirecting a website's traffic to a fraudulent copy of a legitimate website. Screens of fraudulent copies used for both phishing and pharming attacks are almost identical to those of legitimate websites, and even the pharming can include the deceptive URL address. Therefore, without the supports of prevention and detection techniques such as vaccines and reputation system, it is difficult for users to determine intuitively whether the site is the phishing and pharming sites or legitimate site. The previous researches in terms of phishing and pharming attacks have mainly studied on technical solutions. In this paper, we focus on human behaviour when users are confronted by phishing and pharming attacks without knowing them. We conducted an attack experiment in order to find out how many IDs/PWs are leaked from pharming and phishing attack. We firstly configured the experimental settings in the same condition of phishing and pharming attacks and build a phishing site for the experiment. We then recruited 64 voluntary participants and asked them to log in our experimental site. For each participant, we conducted a questionnaire survey with regard to the experiment. Through the attack experiment and survey, we observed whether their password are leaked out when logging in the experimental phishing site, and how many different passwords are leaked among the total number of passwords of each participant. Consequently, we found out that most participants unconsciously logged in the site and the ID/PW management dependent on human memory caused the leakage of multiple passwords. The user should actively utilize repudiation systems and the service provider with online site should support prevention techniques that the user can intuitively determined whether the site is phishing.

아이디와 패스워드를 통한 인증은 고전적인 방법이나 여전히 가장 널리 사용되고 있다. 오늘날 사용자들의 패스워드의 인증 수행 과정은 그 단순함과 편리함, 반복적인 수행으로 인해 적응무의식화 되었다. 즉, 의식화된 상태가 아닌 무의식적으로 인증을 수행하고 있다. 인증과정은 그 절차가 단순하고 반복 학습되어 인간의 깊은 사고 없이도 무의식적으로 수행할 수 있도록 학습될 수 있다. 또한 사용자들이 보유한 아이디와 패스워드 개수가 적기 때문에 기억에 의존할 수 있는 것도 적응무의식화의 원인 중 하나이다. 소수의 아이디와 패스워드 개수를 보유한 것과 달리 대개 사용자들은 수많은 웹, 모바일, 인터넷사이트 서비스에 가입되어 있다. 계정의 수는 많은 반면 소수의 아이디, 패스워드 쌍을 보유했을 때, 그리고 그것이 기억에 의존하여 관리될 때, 마지막으로 인증 과정이 무의식적으로 수행될 때 그것은 인간의 취약점이 된다. 과거에는 정보유출을 위한 해킹 공격이 하드웨어나 소프트웨어 등의 취약점을 이용한 것이었다면 최근에는 이와 더불어 인적 요소의 취약점을 이용하는 사회공학적 공격이 많아지고 있다. 특히 피싱 및 파밍 등과 같은 정보유출형 공격이 급증하고 있다. 피싱 및 파밍 공격은 인적 요소의 취약성을 이용한 것이며, 무의적으로 수행하는 인간의 인증 행위에 취약하다. 과거의 피싱 및 파밍에 대한 연구는 기술적인 분석이나 대책이 주를 이루었지만, 본 논문은 피싱 및 파밍 공격시 반응하는 인간의 행위에 관심이 있다. 사용자가 패스워드를 무의식적으로 입력 할 때, 그리고 인증 행위를 반복 수행할 때, 얼마나 많은 패스워드를 노출할 수 있는지 실험을 통해 확인했다.

Keywords

References

  1. H. Christopher, Social Engineering The Art of Human Hacking, John Wiley & Sons Inc, Dec. 2010.
  2. D. Rachna, J.D. Tygar and M. Hearst, "Why phishing works," Proceedings of the SIGCHI conference on Human Factors in Computing, pp. 581-590, Apr. 2006.
  3. M. Hong, H. Ryu and T. Kwon, "The Impact of Unconscious User Authentication Process on the Leakage of Passwords-Focussing on Phishing," Proceedings of the Korean Society for Internet Information Conference, vol. 14, no. 2, pp. 73-74, Nov. 2013.
  4. H. Ryu, M. Hong and T. Kwon, "A Study of Multiple Password Leakage Factors Caused by Phishing and Pharming Attacks," Journal of the Korea Institute of Information Security and Cryptology, vol. 23, no. 6, pp. 1225-1229, Dec. 2013. https://doi.org/10.13089/JKIISC.2013.23.6.1225
  5. T.D. Wilson, Strangers to Ourselves: Discovering the Adaptive Unconscious. Cambridge, MA: Harvard Univ. Press, 2002.
  6. R.J. Anderson, Security engineering: a guide to building dependable distributed systems 2nd Ed., Wiley, Apr. 2008.
  7. D. Rachna and J.D. Tygar, "The battle against phishing: Dynamic security skin," Proceedings of the Symposium on Usable Privacy and Security, pp. 77-88, Jul. 2005.
  8. S. Kim, S. Lee and S. Jin, "Active Phishing Attack and its Countermeasures," Electronics and Telecommunications Trends, vol. 28, no. 3, ETRI, 2013.
  9. S. Gastellier-Prevost and M. Laurent, "Defeating pharming attacks at the client-side," Network and System Security(NSS), 2011 5th International Conference on. IEEE, pp. 33-40, 2011.
  10. Anti-Phishing Working Group, "Phishing Activity Trends Report 4th Quarter 2012," Anti-Phishing Working Group, Apr. 2013.
  11. J. Kang, E. Cho, S. Lee, "Analysis of Phishing URL using Internet Registration Authority," Review of KIISC, vol. 23, no. 6, pp. 13-20, Dec. 2013.
  12. Y. Lee, "An Analysis on the Vulnerability of Secure Keypads for Mobile Devices," Journal of Korean Society for Internet Information, vol. 14, no. 3, pp. 15-21, June. 2013. https://doi.org/10.7472/jksii.2013.14.3.15
  13. T. Kim, B. Park and T. Park, "An Augmented Memory System using Associated Words and Social Network Service," Journal of Korean Society for Internet Information, vol. 11, no. 6, pp. 41-50, Dec. 2010.

Cited by

  1. A novel secure and efficient hash function with extra padding against rainbow table attacks 2018, https://doi.org/10.1007/s10586-017-0886-4
  2. 정보보안이 안드로이드와 iOS 기반 스마트폰 소비자 선호에 미치는 영향 vol.18, pp.1, 2017, https://doi.org/10.7472/jksii.2017.18.1.105
  3. 개인 맞춤형 사용자 인증 시스템 설계 vol.8, pp.6, 2014, https://doi.org/10.22156/cs4smb.2018.8.6.143