Martin Szydlowski
Vienna University of Technology
Austria

Engin Kirda
Vienna University of Technology
Austria

Christopher Kruegel
Vienna University of Technology
Austria

The web is an indispensable part of our lives. Undoubtedly, web applications have become the most dominant way to provide access to online services. Every day, millions of users purchase items, transfer money, retrieve information and communicate over the web. Although the web is convenient for many users because it provides anytime, anywhere access to information and services, at the same time, it has also become a prime target for miscreants who attack unsuspecting web users with the aim of making an easy profit. The last years have shown a significant increase in the number of web-based attacks, highlighting the importance of techniques and tools for increasing the security of web applications. For example, online banking sites all over the world are frequent targets of phishing attempts, and there has also been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.

An important web security research problem is how to enable a user on an untrusted platform (e.g., a computer that has been compromised by malware) to securely transmit information to a web application. Solutions that have been proposed to date are mostly hardware-based and require (often expensive) peripheral devices such as smart-card readers and chip cards. In this paper, we discuss some common aspects of client-side attacks (e.g., Trojan horses) against web applications and present two simple techniques that can be used by web applications to enable secure user input. We also conducted two usability studies to examine whether the techniques that we propose are feasible.

Keywords: web applications, secure input, graphical keyboard, CAPTCHA, TAN, transaction confirmation, usability study

Read Paper (in PDF)