Mobile Web Phishing Defense
Francis Hsu
Mobile devices with embedded browsers allow users to enjoy the same web resources they have on traditional computing platforms, but also expose them to the same problems. We examined the migration of the browser to mobile devices and the changes that affect a userÕs vulnerability to phishing attacks. Due to inherent hardware limitations on the platform, browser designers alter elements found in traditional browsers that normally aid users in defending against phishing attacks. Our user study identified and demonstrated potential phishing attacks that could successfully fool users into giving up their credentials. We propose examining changes to be made in browser, website and network design to create user-friendly anti-phishing solutions.
A major factor contributing to the success of phishing attacks on the web is our reliance on password authentication. Mobile devices connected to cellular networks do provide a resource not found in traditional network connectionsÑ the authentication of the device itself to the cellular network. To leverage the cellular network infrastructure, we have designed WebCallerID, a Web authentication scheme using mobile phones as authentication tokens and cellular network providers as trusted identify providers. The scheme eliminates users participation from the authentication process and so prevents security mistakes that could expose them to phishing attacks. Mobile devices have access to other bits of information about a user (GPS, voice, camera, local wireless networks) that we envision a multi-factor authentication system can use with WebCallerID to provide reliable and usable authentication services.