Phishing and Countermeasures - Understanding the Increasing Problem of Electronic Identity Theft

Read more

Informationen zum Autor MARKUS JAKOBSSON , PhD, is Associate Professor in the School of Informatics at Indiana University, where he is also Associate Director of the Center for Applied Cybersecurity Research. Dr. Jakobsson is the former editor of RSA CryptoBytes . He is a noted authority on the subject of phishing and is regularly invited to speak on the topic at conferences and workshops. STEVEN MYERS , PhD, is Assistant Professor in the School of Informatics at Indiana University and a member of the University's Center for Applied Cybersecurity Research. Dr. Myers worked on secure email anti-phishing technology at Echoworx Corporation, and has written several papers on cryptography, distributed systems, and probabilistic combinatorics. Klappentext "This book is the encyclopedia of phishing. It provides views from the payment, human, and technical perspectives. The material is remarkably readable--each chapter is contributed by an expert on that topic, but none require specialized background on the part of the reader. The text will be useful for any professional who seeks to understand phishing."--Directors of the International Financial Cryptography Association (IFCA)Phishing attacks, or the practice of deceiving people into revealing sensitive data on a computer system, continue to mount. Here is the information you need to understand how phishing works, how to detect it, and how to prevent it.Phishing and Countermeasures begins with a technical introduction to the problem, setting forth the tools and techniques that phishers use, along with current security technology and countermeasures that are used to thwart them. Readers are not only introduced to current techniques of phishing, but also to emerging and future threats and the countermeasures that will be needed to stop them. The potential and limitations of all countermeasures presented in the text are explored in detail. In spite of the fact that phishing attacks constantly evolve, much of the material in this book will remain valid, given that the book covers the general principles as much as actual instances of phishing.While delving into a myriad of countermeasures and defense strategies, the authors also focus on the role of the user in preventing phishing attacks. The authors assert that countermeasures often fail not for technical reasons, but rather because users are unable or unwilling to use them. In response, the authors present a number of countermeasures that are simple for users to implement, or that can be activated without a user's direct participation. Moreover, the authors propose strategies for educating users. The text concludes with a discussion of how researchers and security professionals can ethically and legally perform phishing experiments to test the effectiveness of their defense strategies against the strength of current and future attacks.Each chapter of the book features an extensive bibliography to help readers explore individual topics in greater depth. With phishing becoming an ever-growing threat, the strategies presented in this text are vital for technical managers, engineers, and security professionals tasked with protecting users from unwittingly giving out sensitive data. It is also recommended as a textbook for students in computer science and informatics. Zusammenfassung "This book is the encyclopedia of phishing. It provides views from the payment, human, and technical perspectives. The material is remarkably readable--each chapter is contributed by an expert on that topic, but none require specialized background on the part of the reader. The text will be useful for any professional who seeks to understand phishing."--Directors of the International Financial Cryptography Association (IFCA)Phishing attacks, or the practice of deceiving people into revealing sensitive data on a computer system, continue to mount. Here is the information you need to understand h...

List of contents

Preface.
 
Acknowledgements.
 
1. Introduction to Phishing.
 
1.1 What is Phishing?
 
1.2 A Brief History of Phishing.
 
1.3 The Costs to Society of Phishing.
 
1.4 A Typical Phishing Attack.
 
1.5 Evolution of Phishing.
 
1.6 Case Study: Phishing on Froogle.
 
1.7 Protecting Users from Phishing.
 
References.
 
2. Phishing Attacks: Information Flow and Chokepoints.
 
2.1 Types of Phishing Attacks.
 
2.2 Technology, Chokepoints and Countermeasures.
 
References.
 
3. Spoofing and Countermeasures.
 
3.1 Email Spoofing.
 
3.2 IP Spoofing.
 
3.3 Homograph Attacks Using Unicode.
 
3.4 Simulated Browser Attack.
 
3.5 Case Study: Warning the User About Active Web Spoofing.
 
References.
 
4. Pharming and Client Side Attacks.
 
4.1 Malware.
 
4.2 Malware Defense Strategies.
 
4.3 Pharming.
 
4.4 Case Study: Pharming with Appliances.
 
4.5 Case Study: Race-Pharming.
 
References.
 
5. Status Quo Security Tools.
 
5.1 An overview of Anti-Spam Techniques.
 
5.2 Public Key Cryptography and its Infrastructure.
 
5.3 SSL Without a PKI.
 
5.4 Honeypots.
 
References.
 
6. Adding Context to Phishing Attacks: Spear Phishing.
 
6.1 Overview of Context Aware Phishing.
 
6.2 Modeling Phishing Attacks.
 
6.3 Case Study: Automated Trawling for Public Private Data.
 
6.4 Case Study: Using Your Social Network Against You.
 
6.5 Case Study: Browser Recon Attacks.
 
6.6 Case Study: Using the Autofill feature in Phishing.
 
6.7 Case Study: Acoustic Keyboard Emanations.
 
References.
 
7. Human-Centered Design Considerations.
 
7.1 Introduction: The Human Context of Phishing and Online Security.
 
7.2 Understanding and Designing for Users.
 
7.3 Mis-Education.
 
References.
 
8. Passwords.
 
8.1 Traditional Passwords.
 
8.2 Case Study: Phishing in Germany.
 
8.3 Security Questions as Password Reset Mechanisms.
 
8.4 One-Time Password Tokens.
 
References.
 
9. Mutual Authentication and Trusted Pathways.
 
9.1 The Need for Reliable Mutual Authentication.
 
9.2 Password Authenticated Key Exchange.
 
9.3 Delayed Password Disclosure.
 
9.4 Trusted Path: How To Find Trust in an Unscrupulous World.
 
9.5 Dynamic Security Skins.
 
9.6 Browser Enhancements for Preventing Phishing.
 
References.
 
10. Biometrics and Authentication.
 
10.1 Biometrics.
 
10.2 Hardware Tokens for Authentication and Authorization.
 
10.3 Trusted Computing Platforms and Secure Operating Systems.
 
10.4 Secure Dongles and PDAs.
 
10.5 Cookies for Authentication.
 
10.6 Lightweight Email Signatures.
 
References.
 
11. Making Takedown Difficult.
 
11.1 Detection and Takedown.
 
References.
 
12. Protecting Browser State.
 
12.1 Client-Side Protection of Browser State.
 
12.2 Server-Side Protection of Browser State.
 
References.
 
13. Browser Toolbars.
 
13.1 Browser-Based Anti-Phishing Tools.
 
13.2 Do Browser Toolbars Actually Prevent Phishing?
 
References.
 
14. Social Networks.
 
14.1 The Role of Trust Online.
 
14.2 Existing Solutions for Securing Trust Online.
 
14.3 Case Study: "Net Trust".
 
14.4 The Risk of Social Networks.
 
References.

Report

"...I highly recommend this as a must-read book in the collection of phishing literature." ( Computing Reviews.com , September 13, 2007)
"...may be used as a textbook or a comprehensive reference for individuals involved with Internet security..." ( CHOICE , July 2007)