Phishing: a short definition

In 2014, the MSCI estimated an annual global impact of phishing, and various forms of identity theft, to be as high as $5 billion USD. The impact has not improved much since.

Phishing is an attempt to collect sensitive information, such as usernames, passwords, and financial details by disguising as a trustworthy entity online.

A relatively simple, yet effective, phishing scheme is sending an email with a fake invoice of a person’s favorite shopping site. This email will usually contain a link pretending to lead to the original service, but in reality, taking the victim to an attacker-controlled website. The login portal might resemble the trusted website's login page very closely, and convince users to enter their credentials, letting others hijack their account.

Past and current countermeasures

Various technical, and social approaches, exist to combat phishing attacks. None of these are sufficient by themselves, so we see a mix of these deployed by various services. The following is a non-exhaustive list of the most common approaches.

Shifting blame to users

Some quick-to-implement, and cost-effective solutions, hold users accountable for their actions instead of restricting what’s technically possible. Earlier responses by affected banks, and payment providers, was to attempt educating users to not click links in emails, along with requesting to verify email legitimacy through checking for relevant personal information.

Another solution is to strengthen logins with pictures, or colored words, often chosen when signing up for a service. Users look for these when logging in, and only enter their credentials when they recognize the user defined pictures or words.

A study on the efficacy of security indicators, presented at the 2007 IEEE Symposium on Security and Privacy, suggests that the above countermeasures fail to protect the majority of users. This too, includes missing HTTPS or EV certificate indicators in a browser’s navigation bar.

Services assuming responsibility

Technical solutions can be more efficient if implemented to protect millions of users automatically. As most phishing attacks start with unsolicited email messages, a clear starting point is improving spam filters, thus reducing the number of fraudulent messages reaching users.

Web browser vendors too, are interested in protecting their users from phishing. After all, the browser plays an essential role in the scheme: a fake website is loaded in a browser and here is the maker’s last chance to preventing fraud. Since version 2.0, Firefox has used Google’s SafeBrowsing service, to detect known web forgeries, and display an alert instead of the fraudulent website.

Two-Factor Authentication

None of the above anti-phishing measures address the basic problem: username/password combinations are often enough to impersonate users.

Enter the world of second factors. A second factor is something a user possesses to further authenticate with a service. For example, a USB token, Bluetooth device, mobile phone, or simply a key stored on a separate device. The first factor is usually the password and username. If both factors don’t match, the service will reject authentication requests.

Public Key Cryptography

Many services will soon support W3C Web Authentication, a powerful technology to evade phishing, based on public key cryptography. Web Authentication supports millions of readily avilable FIDO U2F USB security keys, and will support the more advanced FIDO 2.0 keys, once made available.

Verification via Text Message

If a service supports verification, via SMS, it sends a text message with a one-time PIN to the user’s phone number. The user then enter this PIN after the Web service verifies the username and password. This was chosen as an early second factor 'protocol' as text messages are widely supported, however, even NIST no longer recommends SMS verification. The SS7 telephony system is vulnerable, making eavesdropping, or rerouting text messages quite trivial.

One-Time Password Algorithms

A better way to use phones as second factor, are One-Time Password (OTP) protocols, like TOTP and HOTP. At service registration, the provider will often generate a QR code to be read by an OTP app. This QR code is nothing more than a random, secret key, that is stored on the user’s phone. After verifying username and password, the user is prompted to open the OTP app and enter the corresponding 6-digit code, representing a hashed version of the secret key and a nonce - potentially time-based.

OTP is the most widely supported second factor schemes and can be used to secure your most important accounts. Unfortunately, some users still feel it's too tedious unlocking a phone, opening the OTP app, and manually typing a few digits each time a provider requests a new token. This can be phished by an attacker, though with TOTP apps the attacker has limited time to make their unauthorized login.