研究生: |
陳昌琪 Chang-Chi Chen |
---|---|
論文名稱: |
以動態密碼防制網路釣魚詐騙 Using Dynamic Password Against Phishing Scams |
指導教授: |
洪西進
Shi-Jinn Horng |
口試委員: |
鍾國亮
Kuo-Liang Chung 蘇民揚 Ming-Yang su 胡俊之 Jyun-Jy Hu 高宗萬 Tzong-Wann Kao |
學位類別: |
碩士 Master |
系所名稱: |
電資學院 - 資訊工程系 Department of Computer Science and Information Engineering |
論文出版年: | 2008 |
畢業學年度: | 96 |
語文別: | 中文 |
論文頁數: | 69 |
中文關鍵詞: | 網路釣魚 、密碼保護 、網路安全 、網路詐騙 |
外文關鍵詞: | Password security, phishing website detection |
相關次數: | 點閱:253 下載:11 |
分享至: |
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著網路的使用率以驚人的速度成長,加上各項金融性或其他服務電子化的程度也日益加深,犯罪者的詐騙管道便從傳統的電話、郵件等工具,逐漸加強透過電腦與網路來遂行其詐騙得利的目的。釣魚攻擊便是以獲取使用者身份資料,特別是帳號、密碼、身份證字號、信用卡號碼等關鍵情報,作為攻擊的目標物。
而網路上各項服務提供的依據絕大部分是以「帳號-密碼」作為身份認證的基礎,密碼的使用便成為非常重要的關鍵,同時這也是釣魚攻擊發起者最有興趣的獵物。但由於一般使用者對於網路上各項服務都需要身份認證,在無法有效管理密碼的情況下,往往會選擇一兩組密碼作為個人身份認證的鑰匙。這樣的使用習慣便給了網路釣魚攻擊者一個可趁之機,只要單一網站的帳號密碼被盜取,往往可以將盜取得手的密碼重複使用在其他網站。
本文提出利用動態密碼的方式來設定網站密碼,在不變更現有各網站與用戶端架構的前提下,加強網路密碼使用的安全性,同時並不會增加一般使用者使用密碼的負擔,並具備釣魚網站偵測的機制,避免使用者將密碼洩漏給偽冒的釣魚網站,達成防護個人資訊的目的。
Computer users are often asked to memorize lots of accounts and passwords for using web-mail, web-ATM, e-Banking service, e-commerce sites, and they usually choosing just one or two different passwords between those sites, because most humans are lack of good memory or lazy in using their password of websites. We describe a new tool, which can generate Dynamic Password for users to improve both security and convenience of website logins through a combination of password management and phishing site detection technique. This tool can help user to generate a stronger password for his/her login account id of a website easily, and those passwords set in each website were all different. This mechanism can prevent if one of user’s website password were stolen or leaked, criminals can not use this password to intrude the service of another website. Moreover, when user want to reuse the service of a registered website, this tool can also help user to check this website he want to login now is a legal or a phishing website.
[1]APWG Phishing Trends Reports, http://www.antiphishing.org/phishReportsArchive.html
[2]邱俊福、蔡彰盛,「東森購物台,疑內賊洩個資」,http://www.libertytimes.com.tw/2007/new/dec/10/today-so3.htm,自由時報電子報,2007年12月10日 星期一。
[3]APWG, “What is Phishing and Pharming?”, http://www.antiphishing.org/
[4]Rachael Lininger and Russell Dean Vines, Phishing: Cutting the identity theft line, Wiley Publishing, pp. xxi(2005)
[5]Markus Jakobsson and Steven Myers, Phishing and countermeasures, Wiley Publishing, pp.2-3(2007)
[6]Sarah Gordon, David M. Chess, “Where There's Smoke, There's Mirrors: The Truth about Trojan Horses on the Internet”, Presented at the Virus Bulletin Conference, Munich, Germany, October(1998)
[7]Avivah Litan, “Phishing Victims Likely Will Suffer Identity Theft Fraud”, http://www.gartner.com/DisplayDocument?ref=g_search&id=448811, 14 May (2004)
[8]財團法人中華民國國家資訊基本建設產業發展協進會,「2006資安健檢活動」,http://www.nii.org.tw/upload/file/NR-061113.doc (2006)
[9]行政院國家資通安全會報,「密碼設置原則」,http://www.nicst.nat.gov.tw/content/application/nicst/general/guest-cnt-browse.php?cntgrp_ordinal=10010051&cnt_id=67 (2002)
[10]Yahoo奇摩安全圖章,http://tw.info.yahoo.com/seal/
[11]Rachna Dhamija & J.D.Tygar, “The Battle Against Phishing: Dynamic Security Skins”, ACM International Conference Proceeding Series, Vol. 93(2005)
[12]露天拍賣網站的個人安全密碼,https://member.ruten.com.tw/user/pdsc_confirm.php?refer=https%3A%2F%2Fmember.ruten.com.tw%2Fuser%2Feditprofile.htm
[13]Neil Chou Robert Ledesma Yuka Teraguchi Dan Boneh John C. Mitchell, “Client-side defense against web-based identity theft”, 11th Annual Network and Distributed System Security Symposium (NDSS '04), San Diego, February (2004)
[14]SpoofStick, http://www.spoofstick.com/
[15]Liu Wenyin, Guanglin Huang, Liu Xiaoyue, Zhang Min, Xiaotie Deng, “Detection of Phishing Webpages based on Visual Similarity”, WWW 2005, Chiba, Japan ACM 1-59593-051-5/05/0005, May 10-14 (2005)
[16]Yue Zhang; Jason I. Hong; Lorrie F. Cranor, “CANTINA: A Content-Based Approach to Detecting Phishing Web Sites”, Proceedings of the 16th international conference on World Wide Web, SESSION: Passwords and phishing, pp.639–648, Canada (2007)
[17]KeePass, http://keepass.info, ver 1.11 (2008)
[18]Blake Ross; Collin Jackson; Nick Miyake; Dan Boneh; John C. Mitchell, “Stronger password authentication using browser extensions”, Proceedings of the 14th conference on USENIX Security Symposium - Volume 14, Baltimore, MD, pp.2-2 (2005)
[19]J. Alex Halderman; Brent Waters; Edward W. Felten, “A convenient method for securely managing passwords”, Proceedings of the 14th international conference on World Wide Web, SESSION: Security through the eyes of users, Chiba; Japan, pp.471-479 (2005)
[20]Ka-Ping Yee; Kragen Sitaker, “Passpet: convenient password management and phishing protection”, Proceedings of the second symposium on Usable privacy and security, SESSION: Password management, mnemonics, and mother's maiden names, Pittsburgh; Pennsylvania, pp.32-43 (2006)
[21]RFC 1738, “Uniform Resource Locators (URL)”, ftp://ftp.isi.edu/in-notes/rfc1738.txt
[22]V. I. Levenshtein, “Binary codes capable of correcting deletions, insertions and reversals”, Sov. Phys. Dokl., 6:707-710 (1966)
[23]APWG:Phishing Archive, http://www.antiphishing.org/phishing_archive/phishing_archive.html
[24]MillerSmiles, http://www.millersmiles.co.uk/archives.php
[25]PhishTank, http://www.phishtank.com/
[26]Yue Zhang; Serge Egelman; Lorrie Cranor; Jason Hong, “Phinding Phish: Evaluating Anti-Phishing Tools”, In Proceedings of the 14th Annual Network and Distribute System Security Symposium (NDSS 2007)
[27]黃克仲,以URL資訊為基礎之網路釣魚偵測系統,國立中央大學資訊工程研究所碩士論文,2007