Phoolproof Phishing Prevention

Bryan Parno, Cynthia Kuo, Adrian Perrig
  Publications & Downloads

Phishing attacks exploit a user’s inability to distinguish legitimate websites from spoofed websites. Unfortunately, humans are ill-suited for performing the security checks necessary for secure site identification.

Phoolproof Phishing Prevention uses a trusted device to perform mutual authentication that eliminates reliance on perfect user behavior, thwarts Man-in-the-Middle attacks after setup, and protects a user’s account even in the presence of keyloggers and most forms of spyware.

How Does It Work?

Suppose Alice goes to her local bank branch and registers to use the Phoolproof system with her bank account. This is what happens when she goes to access her account online:

Alice selects the bank’s secure bookmark on her mobile device (e.g., cell phone).
The device opens a browser on her computer and directs the browser to her bank’s website.
The browser retrieves the bank’s certificate and forwards it to Alice’s mobile device.
The mobile device verifies the bank’s certificate and sends Alice’s certificate, along with a signature.
Alice logs in with her username and password.
The server verifies Alice’s certificate, username, and password.
Alice uses the website as she normally would.

It's easy — Alice types in her username and password (as usual) and presses a button on her mobile device. With minimal effort, she can rest assured that she set up a secure connection with the right website!

Contact Us

Papers

Bryan Parno, Cynthia Kuo, and Adrian Perrig. Phoolproof Phishing Prevention. Financial Cryptography and Data Security 10th International Conference, February 27 - March 2, 2006, Anguilla, British West Indies. [ PDF ] [ PS ]

Presentation Slides

Cylab Partners webcast (April 7, 2006) [ PPT ]

Financial Cryptography (February 27, 2006) [PPT]

In the News

Carnegie Mellon press release (8/31/06) [ Link ]

Dr. Dobb's Portal article (9/1/06) [ Link ]

Dark Reading article (9/5/06) [ Link ]

Computer World article (9/5/06) [ Link ]

Posters

Poster for Cylab Partners Conference, April 19-21, 2006, Pittsburgh, PA. [ 8.5 x 11 in ] [ 30 x 40 in ]

Source Code

Forthcoming: Download the Phoolproof source code!

Other CMU Anti-Phishing Projects

The CUPS project has developed a number of tools and techniques designed to support users' trust decisions. [ website ]
Carnegie Mellon University   •   4720 Forbes Avenue   •   Pittsburgh, PA   •   15213