We examine the problem of protecting online banking accounts from password brute-forcing attacks. Our method is to create a large number of honeypot userID-password pairs. Presentation of any of these honeypot credentials causes the attacker to be logged into a honeypot account with fictitious attributes. For the attacker to tell the difference between a honeypot and a real account he must attempt to transfer money out. We show that is simple to ensure that a brute-force attacker will encounter hundreds or even thousands of honeypot accounts for every real break-in. His activity in the honeypots provides the data by which the bank learns the attackers attempts to tell real from honeypot accounts, and his cash out strategy.

PDF file

In: Proc. 23rd International Information Security Conference (SEC 2008)

Publisher: Springer-Verlag
All copyrights reserved by Springer 2007.

Details

Previous Versions

Cormac Herley and Dinei Florencio. Protecting Financial Institutions from Brute-Force Attacks, October 2007.