SlideShare a Scribd company logo

COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS

IJCSEA Journal
IJCSEA Journal

A counter challenge authentication method is presented for authentication of online users of web applications. The authentication method involves a counter challenge from a user to a web application asking to provide certain information from one or more user details recorded at the time of registration. The user enters his password and logs into the web application only in case the correct answer is received from the web application. This advanced authentication method protects online application users from phishing attacks. An incorrect answer or inability of the web application to provide the correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and stopping submission of password to phishers. The authentication method is computer independent and eliminates dependency on two-factor authentication, hardware tokens, client software installations, digital certificates, and user defined seals.

Science
1 of 8
Download to read offline
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 DOI: 10.5121/ijcsea.2020.10101 1 COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS Cheman Shaik VISH Consulting Services Inc, 6242 N Hoyne Avenue, Chicago IL 60659, USA ABSTRACT A counter challenge authentication method is presented for authentication of online users of web ap- plications. The authentication method involves a counter challenge from a user to a web application asking to provide certain information from one or more user details recorded at the time of registra- tion. The user enters his password and logs into the web application only in case the correct answer is received from the web application. This advanced authentication method protects online application users from phishing attacks. An incorrect answer or inability of the web application to provide the correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and stopping submission of password to phishers. The authentication method is computer independent and eliminates dependency on two-factor authentication, hardware tokens, client software installations, digital certificates, and user defined seals. KEYWORDS Phishing Attacks, Counter Challenge, Social Engineering. 1. INTRODUCTION Phishing is a kind of attack mounted through a spoofing spam that causes serious data or fi- nancial losses to consumer based online businesses. In phishing attack, a fraudulent mass email is sent to a huge count of users, impersonating a target organization with a message to update their personal information such as User Id and password related to a web application, failing which their accounts will be deleted or access to the concerned web application will be blocked. The reason for the sudden requirement of updating personal information is often stated in the phishing mail by the attacker as some enhancement of security applications that has taken place on the web server. Unaware of the trick, many times users submit their per- sonal information, which is directed to a fraudulent server owned by the attacker. Once the attacker captures the personal information, it will be used for fraudulent transactions with the web application. Sometimes, the personal information that a phisher asks for may also in- clude credit card, social security, and bank account numbers. Phishing attacks usually target users of online banking, payment services and e-commerce sites. Many of the major banks across the world fell victim to phishing attacks at least once. Phishers develop a login web page that exactly resembles that of a target organization, in- cluding the logo and images, and send it to target users in an email message, asking them to login immediately to keep their accounts active. Sometimes, they send an email only with a link to the login page that they host on their fraudulent server. Most of the times, the login page is hosted at a URL (Uniform Resource Locator) that mostly matches with that of the
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 2 original, genuine login page, except with a slight difference in the domain name, which is rarely spotted by users. The consequences of a phishing attack for an online business include direct financial losses caused by fraudulent transactions performed with the stolen information, loss of reputation and customers, customer law suits, fall of shareholder value, and unexpected expenditure to meet post-attack requirements as per federal regulations. 2. AVAILABLE SOLUTIONS Phishing has no perfect, simple solution as it is more a social engineering problem than a technical one. An early approach to contain phishing attacks involved user education with guidelines such as for not responding to emails asking for any personal information, verifica- tion of URLs while furnishing login credentials in any web page, and verifying IP (Internet Protocol) address of the sender of phishing email. However, despite the above approach, phishers continued to be successful in targeting online web application users and stealing valuable personal information. Utilizing a URL masking vulnerability of the Internet Explorer browser discovered in 2003, phishers used to cheat web application users and steal their personal information. Later, in the wake of growing phishing attacks, some commercial service companies emerged in the market, with a service offering to constantly monitor a domain name system, and registrars to spot domain names that spell closer to existing domain names and are used to launch dupli- cate websites to cheat customers. As and when such counterfeit domains are identified, the original domain owners are informed of the potential threat. Also, anti-spam service provid- ers offered to scan emails for potential phishing attacks and report them to the targeted com- panies. However, these approaches are reactive in nature and can only lower the impact of a phishing attack by alerting a company of phishing attacks already in progress. Two-factor authentication is another approach introduced by product-based security compa- nies. This approach requires that users of an online web application use a second factor of authentication such as a hardware token or smart card provided by the application owner. After a user submits his login credentials for authentication, the web application further prompts him to enter a number that his hardware token generates or enter his smart card in the reader slit of his computer. Though this approach provides a definitive solution to phish- ing attacks, it carries its own disadvantages such as high hardware token cost, client software installation, high management costs and user education requirements. Unfortunately, hackers have become successful even in defeating two-factor authentication by creating a phony process to both phish victim’s passwords and the special two-factor au- thentication code [1] . Another approach to spotting phishing attacks is comparing a mail server IP address with the email sender’s domain name[2] . However, the email sender’s domain name can be spoofed to fool users, and the comparison task is not easy for a layman without much knowledge of do- main names and IP addresses. One more approach that has been tried by corporations to con- tain phishing attacks is digitally signed emails wherein the sender attaches his digital signa- ture to his email[3] . However, as a phisher also could have digitally signed with his valid digi- tal signature, it requires that the email recipient verify and identify the phisher’s misleading domain name.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 3 Some banks have their own solution to phishing attacks. A user of their web application can select a seal that will be displayed on the login page whenever the login page is displayed. However, the seal appears only on the computer that is used to select the seal. When the user switches to another computer, the seal management application would not be able to detect the user and identify a corresponding seal. A browser plugin named Antiphishkeeps track of sensitive information and warns users when sensitive information is entered in web pages. However, AntiPhish flags even legitimate re- use of credentials as suspicious and is therefore not reliable [4] . Similarly, SpoofGuardis an- other browser plugin that examines webpagesandwarnsuserswhenwebpageshaveahighproba- bilityofbeingspoofs, based on their URL, images, and links. However, SpoofGuard checks can be evaded by simple modifications to spoof pages[5] . Many browsers have in-built defending mechanisms through active or passive indicators against phishing sites. Active indicators throw warning popups against suspicious sites whereas passive indicators do not interrupt users and are less effective [6] . Some times even active indicators fail to work if a user disables popup in his browser. The shortcomings of all the solutions discussed above to defeat phishing call for a more sim- ple, technical, computer-independent solution to phishing, without demanding additional hardware, software, and education on the part of end users. 3. COUNTER CHALLENGE AUTHENTICATION Counter Challenge Authentication is an efficient approach to contain phishing attacks. It provides a simple, computer-independent, technical method for defeating phishing attacks, without requiring any education on the part of users. The method utilizes a user challenge to the authentication server prior to authentication in order to overcome the phishing problem. As it is clear to web application users, authentication is a process wherein a web application verifies if a user is registered and holds an account on its systems. In order to meet the challenge, a user enters his User Id and Password in a login page and submits it to the web application. Subsequently, the web application verifies if the user credentials received already exist in its user database. If the verification proves the user is already registered, access is allowed to the web application, else access is denied. This mechanism of straight authentication was developed in the early stages of web technology when no one could foresee phishing attacks as a daunting future problem. Today, this straight authentication mechanism has proved inefficient to thwart phishing attacks. Counter challenge authentication is an advanced authentication method enabling users to safely login to web applications, without falling prey to phishers. In this method, a user poses a counter challenge to a web application through a challenge page displayed in his browser. A simple challenge page as shown in Fig. 1 may comprise an input box for User Id, a message below the input box asking the user to pose a challenge by requesting certain information from his personal details corresponding to the selection of certain input elements displayed on the web page.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 4 Fig.1. A counter challenge page used in authentication process The input for a challenge may be provided by checking one or more of a set of check boxes available on the challenge web page as shown in Fig.2. In a generic sense, input may also be provided by selecting items from a number of drop-down lists, clicking a number of buttons, filling one or more input boxes or clicking one or more images available in the challenge web page. The selected items, clicked buttons, images, or the information filled in the boxes represent the characters or values that the user requests from the web application. Fig. 2. A counter challenge page with user input The web application will return in response the letters or values as requested from the user’s personal details. For instance, if a user checks the 4th and 7th check boxes in the set of check boxes representing the user’s name, the response from the web application will return, as shown in Fig. 3, the 4th and 7th letters from the user’s name as registered with the web application, in an email to the user’s email address or to his mobile phone.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 5 Fig. 3. A message sent to a user’s email address in response to the user’s challenge The message in the email or to the mobile phone advises the user to proceed to login only in case the answer provided to the challenge is correct. The email message sent to the user comprises a link to the safe login page as shown in Fig. 4 which the user is supposed to click only if the answer provided is correct. When a message is sent to a user’s mobile phone, the user is supposed to verify the correctness of the answer and then enter the user’s password in a web page which could be the same web page used for counter challenge or a different one. Fig.4. Asafe login page displayed after answering a user’s challenge The counter challenge page may also provide an option as shown in Fig. 5 as to where the answer to the challenge needs to be received. The user may indicate his choice as email or mobile phone through a couple of radio buttons or similar user interface elements provided in the challenge page.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 6 Fig.5. A counter challenge page with email and mobile options to receive answer The concept of counter challenge by a user before login and providing an answer by the authenticating web application to the counter challenge protects a user from phishing attacks as the user refrains from submitting his password, in case the web application fails to provide the correct answer. A phisher’s fraudulent web application will be unable to correctly answer a user’s challenge as it lacks the required information to meet the challenge. Any failure to respond to user’s challenge or incorrectness of response is a clear indication of a phishing attack. Only the genuine web application can answer the user’s challenge as it has all the user details captured and stored at the time of registration. This simple technique of counter challenge authentication inherently includes a defeating mechanism against phishing attacks. 4. IMPLEMENTATION Counter challenge authentication can be implemented in a single login page also using AJAX (Asynchronous JavaScript and XML) and DHTML (Dynamic Hypertext Markup Language). In such an implementation, the login page comprises an input box for user id, a series of check boxes or other input elements, and a “Challenge” button in visible form. Another input box for password and a Login button are also embedded in the same login page in hidden form. A user enters his user id, selects some check boxes or input elements available in the login page, and then clicks the “Challenge” button. The web application responds to the challenge in the same page with the correct answer, and at the same time the hidden password box and the Login button are made visible on the web page, while hiding the Challenge button. The web application also displays a message on the same login page to enter password only if the answer to the challenge is correct.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 7 5. ADVANTAGES An advantage of a counter challenge authentication method is it does not require any user education, and it only requires that users read the messages and act accordingly during the process of authentication. Users automatically get educated and used to counter challenge authentication as its look and feel is entirely different from the traditional login pages. Users easily conceive what they are doing, what is happening and what they are supposed to do in order to avoid phishing attacks. Another advantage of this authentication technique is it is computer independent, unlike a user-seal based solution to phishing. It enables users to login to their accounts through any computer, irrespective of its IP address and geographic location, thereby eliminating dependency on one’s own personal or regular usage computer. Further, this authentication technique eliminates dependency on client software installations and digital signatures. Counter challenge authentication works as an alternative to expensive hardware tokens, thereby avoiding cost and maintenance issues. Post attack panic and cost of meeting legal procedural requirements can be avoided with this technique. The method of counter challenge authentication can be used in many other ways than the one described above. Instead of requesting letters from a user’s name, they can be requested from other details of a user, such as the user’s mother’s maiden name, university of graduation or any other personal detail that was furnished and stored in a user database at the time of registration. Further, to make the request of letters complicated, a user may be enabled to request letters from different chunks of user details. 6. NUMERICAL ANALYSIS The possibility of a successful phishing attack on users of a web application with counter challenge authentication by answering challenges with random letters or values has been studied. The study reveals that the chances of success for such a smart phisher are negligible when the number of requested letters is two, and gets close to zero as the number increases. The following table shows the probability figures of a phisher’s success with respect to the number of letters requested in the challenge of authentication. Table1. Probability figures of successful phishing attack Number of requested letters Probability of successful phishing attack 2 1/262 = 0.00148 3 1/263 = 0.00006 4 1/264 = 0.000002 5 1/265 = 0.000000084 The above figures were calculated based on the assumption users’ names are always permutations of 26 letters of the English alphabet. However, numbers, period, white space and uppercase letters are not considered in computing the above figures, which, if considered, may further curtail the chances of success.
International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 8 7. LIMITATIONS OR DEFICIENCIES The proposed method and solution to phishing attacks does not suffer any limitations or deficiencies in implementation. The implementation is simple, easy and straight forward. The only resistance by the user community is the method’s deviation from the age-old, traditional login method that allows login with a single button click. However, the user community will get accustomed to the new login method in a very short period as they well understand and realize its benefits. 8. RECOMMENDATIONS FOR FUTURE WORK The solution discussed to defeat phishing attacks uses data provided by users at the time of registration. The concept and method are illustrated with the help of the most common data such as users’ name, address, date of birth etc. For future work it is recommended that a vast, detailed survey may be conducted on the different types of data collected by online web application during registration and probability figures of successful phishing attacks may be computed for all possible combinations thereof. 9. CONCLUSION Counter challenge authentication methodis a definite, technical solution to phishing attacks and will be very useful for e-commerce applications, e-banking systems, email and web hosting services, and all other web applications that require user authentication. Once implemented by online applications and adapted by users, it saves even laymen from falling prey to phishing attacks as it does not require any user education. REFERENCES 1. Mashable webpage, https://mashable.com/article/hackers-beat-two-factor-authentication-2fa- phishing/, last accessed 2019/12/29 2. Univ. of Texas webpage, https://identity.utexas.edu/everyone/spotting-a-phishing-email, last ac- cessed 2019/12/29 3. GlobalSign webpage, https://www.globalsign.com/en/blog/how-to-spot-a-phishing-email/, last accessed 2019/12/29 4. Dr. Radha Damodaram: Study on Phishing Attacks and Antiphishing Tools. International Re- search Journal of Engineering and Technology (IRJET)3 (1), 700-705 (2016) 5. Rachna Dhamija, J.D. Tygar: Human Interactive Proofs to Detect Phishing Attacks. In Human Interactive Proofs: Second International Workshop (HIP 2005), eds. H. Baird and D. Lopresti, Springer, May 2005, pp. 127-141 6. Ike Vayansky and Sathish Kumar:Phishing – challenges and solutions.Computer Fraud & Securi- ty. January 2018, pp. 15-20

Recommended

Current Issue: February 2020, Volume 10, Number 1 --- Table of Contents
Current Issue: February 2020, Volume 10, Number 1 --- Table of ContentsCurrent Issue: February 2020, Volume 10, Number 1 --- Table of Contents
Current Issue: February 2020, Volume 10, Number 1 --- Table of ContentsIJCSEA Journal
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
INTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISINTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISRAHUL KUMAR
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET Journal
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarkingEditor Jacotech
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 

Recommended

Current Issue: February 2020, Volume 10, Number 1 --- Table of Contents
Current Issue: February 2020, Volume 10, Number 1 --- Table of ContentsCurrent Issue: February 2020, Volume 10, Number 1 --- Table of Contents
Current Issue: February 2020, Volume 10, Number 1 --- Table of ContentsIJCSEA Journal
 
Study on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsStudy on Phishing Attacks and Antiphishing Tools
Study on Phishing Attacks and Antiphishing ToolsIRJET Journal
 
INTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISINTERNET BANKING & SECURITY ANALYSIS
INTERNET BANKING & SECURITY ANALYSISRAHUL KUMAR
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET Journal
 
Phishing
PhishingPhishing
PhishingHK Khemnani
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarkingEditor Jacotech
 
IRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET- Phishing and Anti-Phishing Techniques
IRJET- Phishing and Anti-Phishing TechniquesIRJET Journal
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
What risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdfWhat risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdfprajeetjain
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Exploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingExploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingMuhammad Haroon CISM PCI QSA ISMS LA CPTS CEH
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Alan McSweeney
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
Major Prc.pptx
Major Prc.pptxMajor Prc.pptx
Major Prc.pptxDatlaSravya1
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...Milos Pesic
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!Caroline Johnson
 
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.IRJET Journal
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E BaySabyasachi Dasgupta
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention CMR WORLD TECH
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfNistarini College, Purulia (W.B) India
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 

More Related Content

Similar to COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS

What risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdfWhat risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdfprajeetjain
 
76 s201923
76 s20192376 s201923
76 s201923IJRAT
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresIRJET Journal
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Alan McSweeney
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishingIJCSES Journal
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheetHai Nguyen
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...Milos Pesic
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportChris Taylor
 
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!Caroline Johnson
 
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.IRJET Journal
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsITIO Innovex
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention CMR WORLD TECH
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 

Similar to COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS (20)

What risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdfWhat risks do Web and database attacks create for an organization.pdf
What risks do Web and database attacks create for an organization.pdf
 
76 s201923
76 s20192376 s201923
76 s201923
 
Zsun
ZsunZsun
Zsun
 
Exploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In PhishingExploring And Investigating New Dimensions In Phishing
Exploring And Investigating New Dimensions In Phishing
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
 
A literature survey on anti phishing
A literature survey on anti phishingA literature survey on anti phishing
A literature survey on anti phishing
 
Identity cues two factor data sheet
Identity cues two factor data sheetIdentity cues two factor data sheet
Identity cues two factor data sheet
 
Major Prc.pptx
Major Prc.pptxMajor Prc.pptx
Major Prc.pptx
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
securing-consumer-portals-consumer-access-management-as-business-driver-and-p...
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
CYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_ReportCYREN_Q1_2015_Trend_Report
CYREN_Q1_2015_Trend_Report
 
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
What All You Need To Know About Multi-Factor Authentication & IVR in Banking!
 
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
Understanding Social Engineering and it’s impact on Merchant basedUPI frauds.
 
Role Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online TransactionsRole Of Two Factor Authentication In Safeguarding Online Transactions
Role Of Two Factor Authentication In Safeguarding Online Transactions
 
Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online banking
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E Bay
 
Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention Winning the war on cybercrime keys to holistic fraud prevention
Winning the war on cybercrime keys to holistic fraud prevention
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 

Recently uploaded

Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000Sapana Sha
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxgindu3009
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)PraveenaKalaiselvan1
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPirithiRaju
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Lokesh Kothari
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsSumit Kumar yadav
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxpradhanghanshyam7136
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)Areesha Ahmad
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCEPRINCE C P
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxUmerFayaz5
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPirithiRaju
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfSumit Kumar yadav
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhousejana861314
 

Recently uploaded (20)

CELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdfCELL -Structural and Functional unit of life.pdf
CELL -Structural and Functional unit of life.pdf
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 60009654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
9654467111 Call Girls In Raj Nagar Delhi Short 1500 Night 6000
 
Presentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptxPresentation Vikram Lander by Vedansh Gupta.pptx
Presentation Vikram Lander by Vedansh Gupta.pptx
 
Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)Recombinant DNA technology (Immunological screening)
Recombinant DNA technology (Immunological screening)
 
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdfPests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
Pests of cotton_Borer_Pests_Binomics_Dr.UPR.pdf
 
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
Labelling Requirements and Label Claims for Dietary Supplements and Recommend...
 
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
9953056974 Young Call Girls In Mahavir enclave Indian Quality Escort service
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
Botany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questionsBotany krishna series 2nd semester Only Mcq type questions
Botany krishna series 2nd semester Only Mcq type questions
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptx
 
GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)GBSN - Microbiology (Unit 2)
GBSN - Microbiology (Unit 2)
 
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCESTERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
STERILITY TESTING OF PHARMACEUTICALS ppt by DR.C.P.PRINCE
 
Animal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptxAnimal Communication- Auditory and Visual.pptx
Animal Communication- Auditory and Visual.pptx
 
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdfPests of cotton_Sucking_Pests_Dr.UPR.pdf
Pests of cotton_Sucking_Pests_Dr.UPR.pdf
 
Botany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdfBotany 4th semester file By Sumit Kumar yadav.pdf
Botany 4th semester file By Sumit Kumar yadav.pdf
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
Orientation, design and principles of polyhouse
Orientation, design and principles of polyhouseOrientation, design and principles of polyhouse
Orientation, design and principles of polyhouse
 

COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS

  • 1. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 DOI: 10.5121/ijcsea.2020.10101 1 COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATTACKS Cheman Shaik VISH Consulting Services Inc, 6242 N Hoyne Avenue, Chicago IL 60659, USA ABSTRACT A counter challenge authentication method is presented for authentication of online users of web ap- plications. The authentication method involves a counter challenge from a user to a web application asking to provide certain information from one or more user details recorded at the time of registra- tion. The user enters his password and logs into the web application only in case the correct answer is received from the web application. This advanced authentication method protects online application users from phishing attacks. An incorrect answer or inability of the web application to provide the correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and stopping submission of password to phishers. The authentication method is computer independent and eliminates dependency on two-factor authentication, hardware tokens, client software installations, digital certificates, and user defined seals. KEYWORDS Phishing Attacks, Counter Challenge, Social Engineering. 1. INTRODUCTION Phishing is a kind of attack mounted through a spoofing spam that causes serious data or fi- nancial losses to consumer based online businesses. In phishing attack, a fraudulent mass email is sent to a huge count of users, impersonating a target organization with a message to update their personal information such as User Id and password related to a web application, failing which their accounts will be deleted or access to the concerned web application will be blocked. The reason for the sudden requirement of updating personal information is often stated in the phishing mail by the attacker as some enhancement of security applications that has taken place on the web server. Unaware of the trick, many times users submit their per- sonal information, which is directed to a fraudulent server owned by the attacker. Once the attacker captures the personal information, it will be used for fraudulent transactions with the web application. Sometimes, the personal information that a phisher asks for may also in- clude credit card, social security, and bank account numbers. Phishing attacks usually target users of online banking, payment services and e-commerce sites. Many of the major banks across the world fell victim to phishing attacks at least once. Phishers develop a login web page that exactly resembles that of a target organization, in- cluding the logo and images, and send it to target users in an email message, asking them to login immediately to keep their accounts active. Sometimes, they send an email only with a link to the login page that they host on their fraudulent server. Most of the times, the login page is hosted at a URL (Uniform Resource Locator) that mostly matches with that of the
  • 2. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 2 original, genuine login page, except with a slight difference in the domain name, which is rarely spotted by users. The consequences of a phishing attack for an online business include direct financial losses caused by fraudulent transactions performed with the stolen information, loss of reputation and customers, customer law suits, fall of shareholder value, and unexpected expenditure to meet post-attack requirements as per federal regulations. 2. AVAILABLE SOLUTIONS Phishing has no perfect, simple solution as it is more a social engineering problem than a technical one. An early approach to contain phishing attacks involved user education with guidelines such as for not responding to emails asking for any personal information, verifica- tion of URLs while furnishing login credentials in any web page, and verifying IP (Internet Protocol) address of the sender of phishing email. However, despite the above approach, phishers continued to be successful in targeting online web application users and stealing valuable personal information. Utilizing a URL masking vulnerability of the Internet Explorer browser discovered in 2003, phishers used to cheat web application users and steal their personal information. Later, in the wake of growing phishing attacks, some commercial service companies emerged in the market, with a service offering to constantly monitor a domain name system, and registrars to spot domain names that spell closer to existing domain names and are used to launch dupli- cate websites to cheat customers. As and when such counterfeit domains are identified, the original domain owners are informed of the potential threat. Also, anti-spam service provid- ers offered to scan emails for potential phishing attacks and report them to the targeted com- panies. However, these approaches are reactive in nature and can only lower the impact of a phishing attack by alerting a company of phishing attacks already in progress. Two-factor authentication is another approach introduced by product-based security compa- nies. This approach requires that users of an online web application use a second factor of authentication such as a hardware token or smart card provided by the application owner. After a user submits his login credentials for authentication, the web application further prompts him to enter a number that his hardware token generates or enter his smart card in the reader slit of his computer. Though this approach provides a definitive solution to phish- ing attacks, it carries its own disadvantages such as high hardware token cost, client software installation, high management costs and user education requirements. Unfortunately, hackers have become successful even in defeating two-factor authentication by creating a phony process to both phish victim’s passwords and the special two-factor au- thentication code [1] . Another approach to spotting phishing attacks is comparing a mail server IP address with the email sender’s domain name[2] . However, the email sender’s domain name can be spoofed to fool users, and the comparison task is not easy for a layman without much knowledge of do- main names and IP addresses. One more approach that has been tried by corporations to con- tain phishing attacks is digitally signed emails wherein the sender attaches his digital signa- ture to his email[3] . However, as a phisher also could have digitally signed with his valid digi- tal signature, it requires that the email recipient verify and identify the phisher’s misleading domain name.
  • 3. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 3 Some banks have their own solution to phishing attacks. A user of their web application can select a seal that will be displayed on the login page whenever the login page is displayed. However, the seal appears only on the computer that is used to select the seal. When the user switches to another computer, the seal management application would not be able to detect the user and identify a corresponding seal. A browser plugin named Antiphishkeeps track of sensitive information and warns users when sensitive information is entered in web pages. However, AntiPhish flags even legitimate re- use of credentials as suspicious and is therefore not reliable [4] . Similarly, SpoofGuardis an- other browser plugin that examines webpagesandwarnsuserswhenwebpageshaveahighproba- bilityofbeingspoofs, based on their URL, images, and links. However, SpoofGuard checks can be evaded by simple modifications to spoof pages[5] . Many browsers have in-built defending mechanisms through active or passive indicators against phishing sites. Active indicators throw warning popups against suspicious sites whereas passive indicators do not interrupt users and are less effective [6] . Some times even active indicators fail to work if a user disables popup in his browser. The shortcomings of all the solutions discussed above to defeat phishing call for a more sim- ple, technical, computer-independent solution to phishing, without demanding additional hardware, software, and education on the part of end users. 3. COUNTER CHALLENGE AUTHENTICATION Counter Challenge Authentication is an efficient approach to contain phishing attacks. It provides a simple, computer-independent, technical method for defeating phishing attacks, without requiring any education on the part of users. The method utilizes a user challenge to the authentication server prior to authentication in order to overcome the phishing problem. As it is clear to web application users, authentication is a process wherein a web application verifies if a user is registered and holds an account on its systems. In order to meet the challenge, a user enters his User Id and Password in a login page and submits it to the web application. Subsequently, the web application verifies if the user credentials received already exist in its user database. If the verification proves the user is already registered, access is allowed to the web application, else access is denied. This mechanism of straight authentication was developed in the early stages of web technology when no one could foresee phishing attacks as a daunting future problem. Today, this straight authentication mechanism has proved inefficient to thwart phishing attacks. Counter challenge authentication is an advanced authentication method enabling users to safely login to web applications, without falling prey to phishers. In this method, a user poses a counter challenge to a web application through a challenge page displayed in his browser. A simple challenge page as shown in Fig. 1 may comprise an input box for User Id, a message below the input box asking the user to pose a challenge by requesting certain information from his personal details corresponding to the selection of certain input elements displayed on the web page.
  • 4. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 4 Fig.1. A counter challenge page used in authentication process The input for a challenge may be provided by checking one or more of a set of check boxes available on the challenge web page as shown in Fig.2. In a generic sense, input may also be provided by selecting items from a number of drop-down lists, clicking a number of buttons, filling one or more input boxes or clicking one or more images available in the challenge web page. The selected items, clicked buttons, images, or the information filled in the boxes represent the characters or values that the user requests from the web application. Fig. 2. A counter challenge page with user input The web application will return in response the letters or values as requested from the user’s personal details. For instance, if a user checks the 4th and 7th check boxes in the set of check boxes representing the user’s name, the response from the web application will return, as shown in Fig. 3, the 4th and 7th letters from the user’s name as registered with the web application, in an email to the user’s email address or to his mobile phone.
  • 5. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 5 Fig. 3. A message sent to a user’s email address in response to the user’s challenge The message in the email or to the mobile phone advises the user to proceed to login only in case the answer provided to the challenge is correct. The email message sent to the user comprises a link to the safe login page as shown in Fig. 4 which the user is supposed to click only if the answer provided is correct. When a message is sent to a user’s mobile phone, the user is supposed to verify the correctness of the answer and then enter the user’s password in a web page which could be the same web page used for counter challenge or a different one. Fig.4. Asafe login page displayed after answering a user’s challenge The counter challenge page may also provide an option as shown in Fig. 5 as to where the answer to the challenge needs to be received. The user may indicate his choice as email or mobile phone through a couple of radio buttons or similar user interface elements provided in the challenge page.
  • 6. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 6 Fig.5. A counter challenge page with email and mobile options to receive answer The concept of counter challenge by a user before login and providing an answer by the authenticating web application to the counter challenge protects a user from phishing attacks as the user refrains from submitting his password, in case the web application fails to provide the correct answer. A phisher’s fraudulent web application will be unable to correctly answer a user’s challenge as it lacks the required information to meet the challenge. Any failure to respond to user’s challenge or incorrectness of response is a clear indication of a phishing attack. Only the genuine web application can answer the user’s challenge as it has all the user details captured and stored at the time of registration. This simple technique of counter challenge authentication inherently includes a defeating mechanism against phishing attacks. 4. IMPLEMENTATION Counter challenge authentication can be implemented in a single login page also using AJAX (Asynchronous JavaScript and XML) and DHTML (Dynamic Hypertext Markup Language). In such an implementation, the login page comprises an input box for user id, a series of check boxes or other input elements, and a “Challenge” button in visible form. Another input box for password and a Login button are also embedded in the same login page in hidden form. A user enters his user id, selects some check boxes or input elements available in the login page, and then clicks the “Challenge” button. The web application responds to the challenge in the same page with the correct answer, and at the same time the hidden password box and the Login button are made visible on the web page, while hiding the Challenge button. The web application also displays a message on the same login page to enter password only if the answer to the challenge is correct.
  • 7. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 7 5. ADVANTAGES An advantage of a counter challenge authentication method is it does not require any user education, and it only requires that users read the messages and act accordingly during the process of authentication. Users automatically get educated and used to counter challenge authentication as its look and feel is entirely different from the traditional login pages. Users easily conceive what they are doing, what is happening and what they are supposed to do in order to avoid phishing attacks. Another advantage of this authentication technique is it is computer independent, unlike a user-seal based solution to phishing. It enables users to login to their accounts through any computer, irrespective of its IP address and geographic location, thereby eliminating dependency on one’s own personal or regular usage computer. Further, this authentication technique eliminates dependency on client software installations and digital signatures. Counter challenge authentication works as an alternative to expensive hardware tokens, thereby avoiding cost and maintenance issues. Post attack panic and cost of meeting legal procedural requirements can be avoided with this technique. The method of counter challenge authentication can be used in many other ways than the one described above. Instead of requesting letters from a user’s name, they can be requested from other details of a user, such as the user’s mother’s maiden name, university of graduation or any other personal detail that was furnished and stored in a user database at the time of registration. Further, to make the request of letters complicated, a user may be enabled to request letters from different chunks of user details. 6. NUMERICAL ANALYSIS The possibility of a successful phishing attack on users of a web application with counter challenge authentication by answering challenges with random letters or values has been studied. The study reveals that the chances of success for such a smart phisher are negligible when the number of requested letters is two, and gets close to zero as the number increases. The following table shows the probability figures of a phisher’s success with respect to the number of letters requested in the challenge of authentication. Table1. Probability figures of successful phishing attack Number of requested letters Probability of successful phishing attack 2 1/262 = 0.00148 3 1/263 = 0.00006 4 1/264 = 0.000002 5 1/265 = 0.000000084 The above figures were calculated based on the assumption users’ names are always permutations of 26 letters of the English alphabet. However, numbers, period, white space and uppercase letters are not considered in computing the above figures, which, if considered, may further curtail the chances of success.
  • 8. International Journal of Computer Science, Engineering and Applications (IJCSEA) Vol.10, No.1, February 2020 8 7. LIMITATIONS OR DEFICIENCIES The proposed method and solution to phishing attacks does not suffer any limitations or deficiencies in implementation. The implementation is simple, easy and straight forward. The only resistance by the user community is the method’s deviation from the age-old, traditional login method that allows login with a single button click. However, the user community will get accustomed to the new login method in a very short period as they well understand and realize its benefits. 8. RECOMMENDATIONS FOR FUTURE WORK The solution discussed to defeat phishing attacks uses data provided by users at the time of registration. The concept and method are illustrated with the help of the most common data such as users’ name, address, date of birth etc. For future work it is recommended that a vast, detailed survey may be conducted on the different types of data collected by online web application during registration and probability figures of successful phishing attacks may be computed for all possible combinations thereof. 9. CONCLUSION Counter challenge authentication methodis a definite, technical solution to phishing attacks and will be very useful for e-commerce applications, e-banking systems, email and web hosting services, and all other web applications that require user authentication. Once implemented by online applications and adapted by users, it saves even laymen from falling prey to phishing attacks as it does not require any user education. REFERENCES 1. Mashable webpage, https://mashable.com/article/hackers-beat-two-factor-authentication-2fa- phishing/, last accessed 2019/12/29 2. Univ. of Texas webpage, https://identity.utexas.edu/everyone/spotting-a-phishing-email, last ac- cessed 2019/12/29 3. GlobalSign webpage, https://www.globalsign.com/en/blog/how-to-spot-a-phishing-email/, last accessed 2019/12/29 4. Dr. Radha Damodaram: Study on Phishing Attacks and Antiphishing Tools. International Re- search Journal of Engineering and Technology (IRJET)3 (1), 700-705 (2016) 5. Rachna Dhamija, J.D. Tygar: Human Interactive Proofs to Detect Phishing Attacks. In Human Interactive Proofs: Second International Workshop (HIP 2005), eds. H. Baird and D. Lopresti, Springer, May 2005, pp. 127-141 6. Ike Vayansky and Sathish Kumar:Phishing – challenges and solutions.Computer Fraud & Securi- ty. January 2018, pp. 15-20