Phishing is an attack method where attackers fake electronic communications (email, SMS, phone calls) to steal sensitive information from their targets. The favored information often includes login credentials such as passwords, two-factor codes, or usernames. However, phishing can also target other data, such as identification information, social security numbers, as is often the case in the USA, or credit card information. Phishing emails are everywhere: anyone who deals with computers and emails has likely received such an email at some point. In fact, an estimated 70 to 90 percent of all IT security incidents begin with phishing emails. Recognizing and combating them is therefore of utmost importance to prevent attacks on an IT system. Since phishing emails often require user actions to "succeed," such as entering login credentials, they remain a heavily researched topic in Usable Security. We are also dedicating our efforts to this topic with various focuses.
PhishyMailbox: Free Software für Phishing-Research
Phishing research encounters several hurdles in practice when trying to understand how people process phishing emails and whether they recognize them. To address these issues, Oliver D. Reithmaier and Thorsten Thiel have jointly developed PhishyMailbox, a web app that simulates an email inbox. This allows study participants to engage in phishing studies within their own environment and experience a relatively realistic email processing experience. The software logs almost all user interactions, is secure to run, and has received excellent usability evaluations from both users and researchers. PhishyMailbox enables the collection of more realistic research findings, yet within a relatively well-controlled environment. The software is freely available, easy to use, and scales well. The code and instructions can be found here: github.com/Enterprize1/phishy-mailbox. The paper can be found at the following link: www.ndss-symposium.org/wp-content/uploads/usec25-37.pdf The software is actively being developed further by Hanna Köster, Oliver D. Reithmaier, and Thorsten Thiel.
downgrade-resistant PAKE implementation
PAKE (Password Authenticated Key Exchange) protocols are authentication methods that have been available in various forms since the 1990s. They allow an authentication attempt to be made without transmitting passwords in plaintext, which is otherwise very common in login forms. Modern PAKE protocols can verify whether the authenticating party possesses the correct password, without transmitting it to the server or storing it in plaintext on the server. Consequently, modern PAKE protocols like OPAQUE are secure against man-in-the-middle attacks and dictionary attacks. The only drawback these modern protocols present is vulnerability to downgrade attacks, as a password must still be entered. In a downgrade attack, an attacker creates a page that displays a "normal" password login field instead of a PAKE field. The targeted person may then enter their password, which the attacker can use to log in to the actual site. Such downgrade attacks pose a problem that can potentially be solved through a combination of interface design and security design. Oliver D. Reithmaier, in collaboration with Hanna Köster, is working on researching solutions to these issues.
Project Lead: Oliver D. Reithmaier
Period: 2023-2025
