We examine the problem of protecting online banking accounts from password brute-forcing attacks. Our method is to create a large number of honeypot userID-password pairs. Presentation of any of these honeypot credentials causes the attacker to be logged into a honeypot account with fictitious attributes. For the attacker to tell the difference between a honeypot and a real account he must attempt to transfer money out. We show that is simple to ensure that a brute-force attacker will encounter hundreds or even thousands of honeypot accounts for every real break-in. His activity in the honeypots provides the data by which the bank learns the attackers attempts to tell real from honeypot accounts, and his cash out strategy. © 2008 Springer Science+Business Media, LLC.
CITATION STYLE
Herley, C., & Florêncio, D. (2008). Protecting financial institutions from brute-force attacks. In IFIP International Federation for Information Processing (Vol. 278, pp. 681–685). Springer New York. https://doi.org/10.1007/978-0-387-09699-5_45
Mendeley helps you to discover research relevant for your work.