Secure authentication scheme to thwart RT MITM, CR MITM and malicious browser extension based phishing attacks

摘要

Securing user credentials against phishing attacks is an important and challenging research problem. These days phishing is carried out by real time (RT) and control relay (CR) man in the middle (MITM) attacks or by malicious browser extensions. Existing user authentication schemes are either incapable of handling these attacks or they are complex to learn and use or they require users to purchase and carry additional hardware such as a security key. In this paper, we propose a new secure authentication scheme for anti-phishing, which uses the Bluetooth address of the user's smartphone for user identification along with App instance ids and a user password for authentication. The analysis of the results of our experiments shows that the proposed scheme is safe against RT MITM and CR MITM phishing attacks and the attacks launched via malicious browser extensions. It is also efficient in terms of memory and CPU utilization. The comparison of the proposed scheme with the existing schemes in terms of usability and deployability shows that it is better than the schemes that can provide the same level of security.