Browse > Article
http://dx.doi.org/10.7472/jksii.2014.15.3.79

Behavioural Analysis of Password Authentication and Countermeasure to Phishing Attacks - from User Experience and HCI Perspectives  

Ryu, Hong Ryeol (Graduate School of Information, Yonsei University)
Hong, Moses (Graduate School of Information, Yonsei University)
Kwon, Taekyoung (Graduate School of Information, Yonsei University)
Publication Information
Journal of Internet Computing and Services / v.15, no.3, 2014 , pp. 79-90 More about this Journal
Abstract
User authentication based on ID and PW has been widely used. As the Internet has become a growing part of people' lives, input times of ID/PW have been increased for a variety of services. People have already learned enough to perform the authentication procedure and have entered ID/PW while ones are unconscious. This is referred to as the adaptive unconscious, a set of mental processes incoming information and producing judgements and behaviors without our conscious awareness and within a second. Most people have joined up for various websites with a small number of IDs/PWs, because they relied on their memory for managing IDs/PWs. Human memory decays with the passing of time and knowledges in human memory tend to interfere with each other. For that reason, there is the potential for people to enter an invalid ID/PW. Therefore, these characteristics above mentioned regarding of user authentication with ID/PW can lead to human vulnerabilities: people use a few PWs for various websites, manage IDs/PWs depending on their memory, and enter ID/PW unconsciously. Based on the vulnerability of human factors, a variety of information leakage attacks such as phishing and pharming attacks have been increasing exponentially. In the past, information leakage attacks exploited vulnerabilities of hardware, operating system, software and so on. However, most of current attacks tend to exploit the vulnerabilities of the human factors. These attacks based on the vulnerability of the human factor are called social-engineering attacks. Recently, malicious social-engineering technique such as phishing and pharming attacks is one of the biggest security problems. Phishing is an attack of attempting to obtain valuable information such as ID/PW and pharming is an attack intended to steal personal data by redirecting a website's traffic to a fraudulent copy of a legitimate website. Screens of fraudulent copies used for both phishing and pharming attacks are almost identical to those of legitimate websites, and even the pharming can include the deceptive URL address. Therefore, without the supports of prevention and detection techniques such as vaccines and reputation system, it is difficult for users to determine intuitively whether the site is the phishing and pharming sites or legitimate site. The previous researches in terms of phishing and pharming attacks have mainly studied on technical solutions. In this paper, we focus on human behaviour when users are confronted by phishing and pharming attacks without knowing them. We conducted an attack experiment in order to find out how many IDs/PWs are leaked from pharming and phishing attack. We firstly configured the experimental settings in the same condition of phishing and pharming attacks and build a phishing site for the experiment. We then recruited 64 voluntary participants and asked them to log in our experimental site. For each participant, we conducted a questionnaire survey with regard to the experiment. Through the attack experiment and survey, we observed whether their password are leaked out when logging in the experimental phishing site, and how many different passwords are leaked among the total number of passwords of each participant. Consequently, we found out that most participants unconsciously logged in the site and the ID/PW management dependent on human memory caused the leakage of multiple passwords. The user should actively utilize repudiation systems and the service provider with online site should support prevention techniques that the user can intuitively determined whether the site is phishing.
Keywords
Phishing; Pharming; Password; Authentication; Social Engineering; HCI;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Anti-Phishing Working Group, "Phishing Activity Trends Report 4th Quarter 2012," Anti-Phishing Working Group, Apr. 2013.
2 T.D. Wilson, Strangers to Ourselves: Discovering the Adaptive Unconscious. Cambridge, MA: Harvard Univ. Press, 2002.
3 R.J. Anderson, Security engineering: a guide to building dependable distributed systems 2nd Ed., Wiley, Apr. 2008.
4 D. Rachna and J.D. Tygar, "The battle against phishing: Dynamic security skin," Proceedings of the Symposium on Usable Privacy and Security, pp. 77-88, Jul. 2005.
5 S. Kim, S. Lee and S. Jin, "Active Phishing Attack and its Countermeasures," Electronics and Telecommunications Trends, vol. 28, no. 3, ETRI, 2013.
6 S. Gastellier-Prevost and M. Laurent, "Defeating pharming attacks at the client-side," Network and System Security(NSS), 2011 5th International Conference on. IEEE, pp. 33-40, 2011.
7 J. Kang, E. Cho, S. Lee, "Analysis of Phishing URL using Internet Registration Authority," Review of KIISC, vol. 23, no. 6, pp. 13-20, Dec. 2013.
8 Y. Lee, "An Analysis on the Vulnerability of Secure Keypads for Mobile Devices," Journal of Korean Society for Internet Information, vol. 14, no. 3, pp. 15-21, June. 2013.   과학기술학회마을   DOI   ScienceOn
9 T. Kim, B. Park and T. Park, "An Augmented Memory System using Associated Words and Social Network Service," Journal of Korean Society for Internet Information, vol. 11, no. 6, pp. 41-50, Dec. 2010.   과학기술학회마을
10 H. Christopher, Social Engineering The Art of Human Hacking, John Wiley & Sons Inc, Dec. 2010.
11 H. Ryu, M. Hong and T. Kwon, "A Study of Multiple Password Leakage Factors Caused by Phishing and Pharming Attacks," Journal of the Korea Institute of Information Security and Cryptology, vol. 23, no. 6, pp. 1225-1229, Dec. 2013.   과학기술학회마을   DOI   ScienceOn
12 D. Rachna, J.D. Tygar and M. Hearst, "Why phishing works," Proceedings of the SIGCHI conference on Human Factors in Computing, pp. 581-590, Apr. 2006.
13 M. Hong, H. Ryu and T. Kwon, "The Impact of Unconscious User Authentication Process on the Leakage of Passwords-Focussing on Phishing," Proceedings of the Korean Society for Internet Information Conference, vol. 14, no. 2, pp. 73-74, Nov. 2013.