OWASP Israel 2008 Conference Amir Herzberg

Defending against Phishing without Client-side Code
We study defenses against phishing websites, which do not require installation of any software on the client side. The two main website defenses we discuss, are server identification e.g. using secret images, and the usage of bookmarks and/or cookies as a secondary form of authentication. We discuss the design of such server-only defenses, and results of experimental studies of security and usability.

Usability studies show that server-identification, e.g. by an image or text displayed in the login page, can provide a modest improvement in the detection rates of spoofed sites. We found an improvement in detection rates, when the user was actively involved in the image selection and display (e.g. if user must click on the image).

However, server-identifiers must be protected from exposure; this is usually achieved by some form of secondary user authentication, most commonly using cookies and/or bookmarks. We discuss these options. In particular, we show two possible advantages from using bookmarks to provide secondary user identification: improved defense against phishing, in particular against phishing emails and phishing by links, e.g. of search engine results; and ability to protect the authentication secrets against eavesdroppers and spoofed servers.

Bio
Prof. Amir Herzberg received B.Sc. (Computer Engineering), M.Sc. (Electrical Engineering) and D.Sc. (Computer Science), from the Technion, Israel, at 1982, 1987 and 1991, respectively. Since 1982, he worked in software and systems R&D, mostly in security and networking, as developer, manager and CTO, in few companies. During 1991-2000, Prof. Herzberg filled research and management positions in IBM Research (New York and Israel). Since 2002, he is an associate professor in the Computer Science department of Bar Ilan University. His current research interests include security of communication and commerce, quality of service, vehicular and ad-hoc networking, and applied cryptography.