International Journal of Network Security, Vol.11, No.3, PP.163–171, Nov. 2010 163 Phishing Secrets: History, Effects, and Countermeasures Antonio San Martino and Xavier Perramon (Corresponding author: Antonio San Martino) Department of Information and Communication Technologies, Universitat Pompeu Fabra, Barcelona, Catalonia, Spain Roc Boronat 138, E-08018 Barcelona, Catalonia, Spain (Email: asm@dp-security.com, xavier.perramon@upf.edu) (Received June 13, 2009; revised and accepted Nov. 11, 2009) Abstract This paper presents the results of a study performed over phishing threats and vulnerabilities present in nowadays authentication environments. The main goal of this pa- per is to present our solution, the anti-phishing model which can be applied to any web environment, and not just to e-banking or the financial sector, without limita- tions nor additional requirements. We start presenting a brief history of phishing, common solutions, some statis- tics about phishing attempts, social impact and mone- tary losses and our patented anti-phishing model. Fol- lowing is an explanation about how different vulnerabili- ties have been addressed such as Man-In-The-Middle at- tacks, phishing, pharming, SQL injection, social engineer- ing, format string attacks, buffer overflow, brute force and many other vulnerabilities. The proposed method has been the basis of a PhD thesis aimed at defining a model for secure operation of an Internet Banking envi- ronment, even in the presence of malware on the client side. The authentication model is based on a mutual multi-factor authentication process where both entities must be authenticated with more than one authentica- tion factor. The proposed model has been designed to be easily applicable with minimum impact to the current In- ternet banking systems. Its goal is to be resistant to the nowadays too frequent phishing and pharming attacks, and also to more classical ones like social engineering or man-in-the-middle attacks. The key point of this model is the need for multi-factor mutual authentication, instead of simply basing the security on the digital certificate of the financial entity, since in many cases users are not able to discern the validity of a certificate, and may not even pay attention to it. Thanks to the rules defined in this proposal, the security level of the Web Banking environ- ment will increase and customers’ trust will be enhanced, thus allowing a more beneficial use of this service. The proposed model has been simulated in order to demon- strate its effectiveness and feasibility. Keywords: Authentication, bank, e-banking, phishing 1 Introduction Phishing, as defined in Wikipedia, is “the criminally fraudulent process of attempting to acquire sensitive in- formation such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an elec- tronic communication” [17]. Normally phishers hijack a bank’s web page and send emails to the victim in order to trick the victim to visit the malicious site (apparently the real bank site) in order to collect victim bank account information and card numbers. Pharming is “a hacker’s attack aiming to redirect a Web site’s traffic to another, bogus Web site. Pharming can be conducted either by changing the hosts file on a victim’s computer or by ex- ploitation of a vulnerability in DNS server software” [16]. Man in the Middle (MITM) is “a form of active eaves- dropping in which the attacker makes independent con- nections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker” [15]. A number of techniques and standards have been de- veloped for providing information security against com- mon threats, but currently there is no official preven- tive standard solution for phishing and pharming threats. There are an increasing number of new attacks and viruses against web pages of financial entities [12], such as “phish- ing” and “pharming” frauds that must be addressed in order to guarantee customers’ trust in web banking ser- vices. No standard exists in order to address and manage phishing and pharming attacks. The proposed multi- factor mutual authentication process presented here al- lows to detect and then to address these two threats. Our authentication model works in a secure way also in the presence of these threats. The specific novelty of this work is the mutual authen- tication method, which if correctly implemented avoids many threats such as phishing, pharming, man in the mid- dle attacks and identity theft. A mutual authentication