Security for Web Applications can grant access to
13.5 Client Security Issues 283 Web site where she is requested to enter her PIN and the next two TANs. The pretence for this request is that some administrative work at ChiefCard requires the approval of Alice s account information. Proceeding as demanded, the attackers acquire Alice s bank data, which they now can misuse for debits from her account with ChiefCard in general not being accountable for her financial losses. Web spoofing, which is employed for phishing attacks, typically relies on the following factors: Convincing Web site and e-mail design. The spoofed Web sites and e-mails have the same look and feel as the official Web sites and mails of the original service provider. Use of convincing URLs. URLs can be expressed in many ways that can make it hard to detect misuse. Among others, URLs can contain IP addresses instead of domain names. Furthermore, typos that are hard to register can be misused. To give an example, the lower-case i is hard to distinguish from the lower-case l and attackers might trick clients using the URL (http://www.chlef.card.com/banking) instead of the official site. Thus, users are recommended to retype the addresses in their browsers instead of just opening links. Furthermore, checking URLs can sometimes be complicated when the official service providers use browser windows without address bars for their services an approach that should not be followed according to (T urpe and Baumann 2004). Pretending secure connections. Secure connections using SSL/TLS are indicated through lock icons in the status bar of the Web browser. But the trustworthiness of an individual connection has to be verified by the users. They have to observe whether they are actually running a secure interaction with the supposed service provider and not just with any party owning a valid certificate. Sometimes, as the authors of (Ye et al. 2002) show, this can be a nontrivial task, if companies authorize third parties to design and maintain their Web presence. Phishing and Web spoofing attacks not only cause damage for end users but also bring about detriments for service providers, as phishing aims at misusing the good reputation of established brands and the users trust in the company. Thus, additional financial and administrative efforts are made to detect phishing attacks and to warn customers as soon as possible. Although liability issues are oftentimes unsolved, service providers might be confronted with claims for compensation in case phishing attacks succeed. Technical protection against phishing and Web spoofing seems hard to achieve. The most appropriate approach remains to inform and sensitize customers of possible attacks. For service providers it is best practice to offer customers feasible alternatives, like home banking relying on smartcards instead of PIN/TAN mechanisms. 13.5.4 Desktop Security Apart from the presented attack techniques, end users security can be endangered through threats like viruses and worms. It is up to the clients themselves to counteract these security threats by using Internet services thoughtfully, updating operating systems and browser software regularly, and by using additional security software like firewalls and virus scanners. In the following, an overview of the most common security threats is given.
Note: If you are looking for good and high quality web space to host and run your java application check Lunarwebhost java web hosting services