EFFICACY OF PHISHING
EFFICACY OF PHISHING (full title not shown) The advent of Single Sign-On (“SSO”) over a decade ago has facilitated secure identity management and eased the burden of security on end-users by allowing a single set of user credentials to access multiple applications. SSO is arguably the de facto standard in enterprise and organizational settings where many users have access to a suite of third-party services such as document management and telecommunication software. Despite its popularity, SSO authentication measures seem to make a critical assumption: that end users handling requests such as login confirmations will always act in a manner consistent with security best practices. Indeed, recent |
trends suggest that this assumption does not hold, and users may unknowingly or otherwise inadvertently approve login confirmations for users other than themselves, thereby improving the chance of successful phishing or otherwise malicious activity. While this mistake may stem from insufficient user training, it nevertheless poses a significant entry point for malicious actors even in the face of security mechanisms.
In this paper, we develop a model of the “Semi-Untrusted User” problem and discuss how errant login request approvals can lead to compromised user accounts and possibly wider breaches of SSO services. We identify the requirements for a solution that can mitigate this issue, and propose a simple mechanism to prevent mishandled login requests. Briefly, we develop a login page that is unavailable (i.e. not visible or returns 404) to unauthorized users so that malicious actors cannot use these credentials without enrolling the device requesting login, which in turn requires an already trusted device for the account of the user in question (e.g. TOTP or similar time-bound primitive).
Michael Sandborn is a graduate research assistant in computer science and Russell G. Hamilton Scholar at Vanderbilt University. He is advised by Dr. Jules White who leads the Magnum Research Group. Michael's research focuses on cyber-physical systems and computer security and aims to improve the security guarantees of authentication methods in both cyber and physical domains.