PwdIP-Hash: A Lightweight Solution to Phishing and Pharming Attacks

We present a novel lightweight password-based solution that safeguards users from Phishing and Pharming attacks. The proposed authentication relies on a hashed password, which is the hash value of the user-typed password and the authentication server’s IP address. The solution rests on the fact that the server connected by a client using TCP connection cannot lie about its IP address. If a user is unknowingly directed to a malicious server (by a Phishing or a Pharming attack), the password obtained by the malicious server will be the hashed-password (tied to the malicious server’s IP address) and will not be usable by the attacker at the real server thus defeating Phishing/Pharming attack. The proposed solution does not increase the number of exchanged authentication messages, nor does it need hardware tokens as required by some previously proposed solutions. The solution is also safe against denial-of-service attacks since no state is maintained on server side during the authentication process. We have prototyped our design both as a web browser’s plug-in and as a standalone application. A comprehensive user study was conducted. The results show that around 95% of users think the proposed solution is easy to use and manage. Further, around 79% of users have shown willingness to use the application to protect their passwords.