Abstract
The phishing as an online identity theft is one of the fastest growing crimes in the Internet. Several counter-measures are proposed through the years, one of them is the Anti-phishing Authentication (APA) protocol that is based on SPEKE which is a Password Authenticated Key Exchange (PAKE) protocol. In this paper, it is shown that the APA protocol is vulnerable to password compromise impersonation, ephemeral key compromise impersonation and malicious server attacks. An improved anti-phishing protocol is also proposed that provides several security attributes including mutual authentication, forward secrecy, known session key security, no key control, Key confirmation, and resilience to Denning-Sacco, password compromise impersonation, Unknown Key Share (UKS), off-line dictionary, undetectable online dictionary, ephemeral key compromise impersonation, Key Compromise Impersonation (KCI), eavesdropping, message loss, message modification, message insertion and message replay attacks while it provides better efficiency when compared with the APA protocol.