Enhancing Anti-phishing by a Robust
Multi-Level Authentication Technique (EARMAT)
Adwan Yasin
and Abdelmunem Abuhasan
College of Engineering and Information Technology, Arab
American University, Palestine
Abstract: Phishing is a kind of social engineering attack in
which experienced persons or entities fool novice users to share their
sensitive information such as usernames, passwords, credit card numbers, etc.
through spoofed emails, spams, and Trojan hosts. The proposed scheme based on
designing a secure two factor authentication web application that prevents
phishing attacks instead of relying on the phishing detection methods and user
experience. The proposed method guarantees that authenticating users to
services, such as online banking or e-commerce websites, is done in a very
secure manner. The proposed system involves using a mobile phone as a software
token that plays the role of a second factor in the user authentication
process, the web application generates a session based onetime password and delivers
it securely to the mobile application after notifying him through Google Cloud
Messaging (GCM) service, then the user mobile software will complete the
authentication process – after user confirmation- by encrypting the received
onetime password with its own private key and sends it back to the server in a
secure and transparent to the user mechanism. Once the server decrypts the
received onetime password and mutually authenticates the client, it
automatically authenticates the user’s web session. We implemented a prototype
system of our authentication protocol that consists of an Android application,
a Java-based web server and a GCM connectivity for both of them. Our evaluation
results indicate the viability of the authentication protocol to secure the web
applications authentication against various types of threats.
Keywords: Phishing, two-factor authentication,
web security, google cloud messaging, mobile authentication.