What is phishing and how Counter Challenge Authentication defeats it?

Counter Challenge Authentication (CCA) is a replacement to the conventional login method wherein a web application user enters user id and password. Entering login credentials without any idea of where the user request is delivered is the root cause of all phishing attacks taking place regularly, causing financial losses to banks and other financial organizations.

Entering user credentials blindly on a login page and submitting them without knowing if there is fradulent application on the other side capturing the user credentials is a serious flaw of today's login method. Unless this flaw is fixed, phishing attacks do repeat on user accounts of banks and financials organizations, irrespective of whatever precautionery measures we implement to avoid phishing.

Every month more than a million phishing sites crop up on the internet and launch phishing attacks. Phishers very easily execute these attaks just by sending a fradulent email to millions of users impersonating a popular bank or financial organization. The email content contains a kind of statement that they have recently upgraded their web applican and all their users should immediately login to their accounts by clicking a link therein, otherwise their accounts will be blocked.

Unaware of the attack, innocent users click the link and eventually land on a login page which is an exact login page replica of the target bank or financial orgazation. As soon as the users enter their login credentials and submit the form, the request will hit a fradulent phishing application ready to capture and store the credentials. Using these credentials, phishers login to the actual user accounts of the targeted banks or financial organization and steal handsome amounts of money.

The aftermath of a phishing attack would have serious implications on the affected organization's business and reputation. Moreover, the affected oranization will have to send emails to all their customers informing of the phishing attack in order to meet the regulatory requirements of the concerned governments, which would further damage their business by undermining customer confidence.

CCA defeats phishing attacks by providing purely a tecnical solution to the problem. The CCA login method inherently contains a mechanism to warn users of phishing attacks before they complete their login. It is a two-step login method wherein the user only enters his user id and poses a counter challenge to the web application as the first step. In the second step, depending upon the response recived from the web application, the user clearly understands whether he is on the genuine web application's login page or on a phisher's login page which is an exact replica of the genuine login page. A correct response to his challenge makes sure he is on the right login page. On the other hand, any incorrect or void response is a clear indication of phishing attack, thereby preventing him to fall prey to it.

As montioned above, CCA makes users context aware and mindful while they login to their accounts. It is a simple, technical solution to phishing, eliminating the need for costly and time consuming 24/7 surveillence services looking for phishing sites and bring them down. Despite these surveillence techniques, phishing attacks do repeat and organizations and their customers keep getting affected, because of the numerous temporal phishing sites launched regularly all over the world and the time and significant effort taken to identify them, before which users already get affected.