The Devil Is Phishing: Rethinking Web Single Sign-On Systems Security
نویسنده
چکیده
One significant trend in online user authentication is using Web Single Sign-On (SSO) systems. Especially, open Web SSO standards such as OpenID and OAuth are rapidly gaining adoption on the Web, and they enable over one billion user accounts. However, the largescale threat from phishing attacks to real-worldWeb SSO systems has been significantly underestimated and insufficiently analyzed. In this paper, we (1) pinpoint what are really unique in Web SSO phishing, (2) provide one example to illustrate how the identity providers (IdPs) of Web SSO systems can be spoofed with ease and precision, (3) present a preliminary user study to demonstrate the high effectiveness (20 out of 28, or 71% of participants became “victims”) of Web SSO phishing attacks, and (4) call for a collective effort to effectively defend against the insidious Web SSO phishing attacks.
منابع مشابه
Logout in Single Sign-on Systems
Single sign-on (SSO) helps users to cope with many online services that require authentication. Systems such as OpenID and SAML-based Shibboleth offer federated identity management where an Identity Provider authenticates the user on behalf of the services. Much research concentrates on making authentication stronger, preventing phishing and making the systems more user friendly but less attent...
متن کاملPoster: OpenIDemail Enabled Browser
With Web 2.0, the user is both a consumer and provider of Web content. However, today’s Web is site centric. A user has to maintain a separated copy of identity and corresponding password for each content-hosting and service providers (CSPs), which leads to weaker passwords and/or password re-use across accounts [4]. Federated identity solutions enable cross-domain single sign-on, and remove th...
متن کاملThe Mobile Browser as a Web-Based Platform for Identity
Mobile devices have long been considered useful in bootstrapping authentication via other channels, including the web. As mobile devices begin to include complete web browsers, there is an opportunity to standardize a simple, web-based mobile authentication technique, both for devices themselves and for desktop access using the mobile device as a secondary channel. The path to better authentica...
متن کاملIntelligent Security for Phishing Online using Adaptive Neuro Fuzzy Systems
Anti-phishing detection solutions employed in industry use blacklist-based approaches to achieve low falsepositive rates, but blacklist approaches utilizes website URLs only. This study analyses and combines phishing emails and phishing web-forms in a single framework, which allows feature extraction and feature model construction. The outcome should classify between phishing, suspicious, legit...
متن کاملSmart OpenID: A Smart Card Based OpenID Protocol
OpenID is a lightweight, easy to implement and deploy approach to Single Sign-On (SSO) and Identity Management (IdM), and has great potential for large scale user adoption especially for mobile applications. At the same time, Mobile Network Operators are increasingly interested in leveraging their existing infrastructure and assets for SSO and IdM. In this paper, we present the concept of Smart...
متن کامل