Abstract Phishing is a kind of social engineering attack in which experienced persons or entities fool novice users to share their sensitive information such as usernames, passwords, credit card numbers, etc. through spoofed emails, spams, and Trojan hosts. The proposed scheme based on designing a secure two factor authentication web application that prevents phishing attacks instead of relying on the phishing detection methods and user experience. The proposed method guarantees that authenticating users to services, such as online banking or e-commerce websites, is done in a very secure manner. The proposed system involves using a mobile phone as a software token that plays the role of a second factor in the user authentication process, the web application generates a session based onetime password and delivers it securely to the mobile application after notifying him through Google Cloud Messaging (GCM) service, then the user mobile software will complete the authentication process – after user confirmation- by encrypting the received onetime password with its own private key and sends it back to the server in a secure and transparent to the user mechanism. Once the server decrypts the received onetime password and mutually authenticates the client, it automatically authenticates the user’s web session. We implemented a prototype system of our authentication protocol that consists of an Android application, a Java-based web server and a GCM connectivity for both of them. Our evaluation results indicate the viability of the authentication protocol to secure the web applications authentication against various types of threats.

References

[1] Abu-Nimeh S., Nappa D., Wang X., and Nair S., A Comparison of Machine Learning Techniques for Phishing Detection, in Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, pp. 60-69, 2007.

[2] Anti-Phishing Working Group. http://www.antiphishing.org/, Last Visited, 2015.

[3] Bonneau J., Herley C., Oorschot V., and Stajano F., The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, in Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, pp. 553-567, 2012.

[4] Cao Y., Han W., and Le Y., Anti-phishing based on Automated Individual White-list, in Proceedings of the 4th ACM Workshop on Digital Identity Management, Alexandria, pp. 51-60, 2008.

[5] Cronto, www.cronto.com/, Last Visited, 2016.

[6] Czeskis A., Dietz M., Kohno T., Wallach D., and Balfanz D., Strengthening user Authentication Through Opportunistic Cryptographic Identity Assertions, in Proceedings of the ACM Conference on Computer and Communications Security, Raleigh, pp. 404-414, 2012.

[7] Dhamija R., Tygar J., and Hearst M., Why Phishing Works, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montr al, pp. 581-590, 2006.

[8] Dmitrienko A., Liebchen C., Rossow C., and Sadeghi A., Security Analysis of Mobile Two- Factor Authentication Schemes, Intel Technology Journal, vol. 18, no. 4, pp. 138-161, 2014.

[9] Dodson B., Sengupta D., Boneh D., and Lam M., Secure, Consumer-friendly Web Authentication and Payments With a Phone, in Proceedings of International Conference on Mobile Computing, Applications, and Services, Santa Clara, pp. 17- 38, 2010.

[10] Downs S., Holbrook M., and Cranor L., Decision Strategies and Susceptibility to Phishing, in Proceedings of the 2nd Symposium on Usable Privacy and Security, Pittsburgh, 2006. Enhancing Anti-phishing by a Robust Multi-Level Authentication Technique (EARMAT) 999

[11] Gal an E., Castro J., and Alcaide A., and Ribagorda A., A Strong Authentication Protocol based on Portable One-Time Dynamic URLs, in Proceedings of International Conference on Web Intelligence and Intelligent Agent Technology, Toronto, 2010.

[12] Google Cloud Messaging, https://developers.google.com/cloud- messaging/gcm, Last Visited, 2015.

[13] Google, Google 2-step Verification, http://www.google.com/landing/2step/, Last Visited, 2015.

[14] James D. and Philip M., A Novel Anti Phishing framework based on Visual Cryptography, in Proceedings of International Conference on Power, Signals, Controls and Computation, Thrissur, pp. 1-5, 2012.

[15] Method and apparatus for positively identifying an individual, http://www.google.com/patents/US4720860, Last Visited, 2015.

[16] Muppavarapu V., Rajendran A., and Vasudevan S., Phishing Detection using RDF and Random Forest, The International Arab Journal of Information Technology, vol. 15, no. 5, pp. 817- 824, 2018.

[17] Prajitha M., Rekha P., Amrutha A., A Secured Authentication Protocol Which Resist Password Reuse Attack, in Proceedings of International Conference on Innovations in Information Embedded and Communication Systems, Coimbatore, pp. 1-5, 2015.

[18] Pushy, https://pushy.me/, Last Visited, 2015.

[19] The Phishing Guide Understanding & Preventing Phishing Attacks, http://www- 935.ibm.com/services/us/iss/pdf/phishing-guide- wp.pdf, Last Visited, 2015.

[20] Xie M., Li Y., Yoshigoe K., Seker R., and Bian J., CamAuth: Securing Web Authentication with Camera, in Proceedings of IEEE 16th International Symposium on High Assurance Systems Engineering, Daytona Beach Shores, pp. 232-239, 2015.

[21] Umadevi P. and Saranya V., Stronger Authentication for Password using Virtual Password and Secret Little Functions, in Proceedings of International Conference on Information Communication and Embedded Systems, Chennai, pp. 1-6, 2014. Adwan Yasin is a full professor, Former dean of Faculty of Engineering and Information Technology of the Arab American University of Jenin, Palestine. Previously he worked at Philadelphia and Zarka Private University, Jordan. He received his PhD degree from the National Technical University of Ukraine in 1996. His research interests include Computer Networks, Computer Architecture, Cryptography and Networks Security. Abdelmunem Abuhasan is a Master student at the Arab American University with particular interests in computer security, web security and software engineering. He is working since ten years as the manager of software development department at the Arab American University. He holds a B.A. in Computer Science from the Arab American University.