Dinei Florencio and Cormac Herley
Several factors make phishing a very challenging security problem. First, the victim unknowingly assists the attacker, by typing her credentials into a spoofed web site. Second, it is hard to identify web sites as suspicious using a fixed algorithm: phishers adapt quickly, and it is difficult to anticipate the ingenuity of all future attackers with a fixed set of rules. Third, users tend to ignore popups or security warnings: a good detection system doesn't help if users "drive past" the alerts. The scheme we propose overcomes these difficulties. We assume that victims will type their passwords at insecure sites, we assume that phishers will adapt, and we assume that many or most victims will ignore all the warnings we give. And yet, we save substantially all users. The scheme is very simple, and consists of a client browser plug-in and a server component. The client detects when passwords are re-used at unfamiliar sites, and reports this fact to the server. Only when several clients report suspicious re-use events against a target/phisher pair of sites does the phisher get added to a Unique Password Required list. Our scheme does not assume that users have different passwords for different sites; it can handle the case where every user recycles the same password at every single site she visits. Our scheme allows for errors in the server's suspicion algorithm. Even if perfectly innocent sites end up on the Unique Password Required list, nobody is prevented from logging into a pre-existing account ever. The harshest consequence of being mistakenly suspected is that those setting up new accounts will be forced to choose unique passwords. Finally, even users who typed their password at a phishing site before it was suspected can be saved: the credentials of all compromised accounts are sent to the site under attack.