Mutual authentication establishes two-way trust. The customer's client (e.g., web browser) authenticates the bank's server, and the server authenticates the customer. The critical step against a fake website is server authentication, typically accomplished via a valid Transport Layer Security (TLS) certificate. The customer's browser verifies that the certificate is valid and issued to the legitimate bank. A phishing site cannot present a valid certificate for the real bank's domain. This allows the browser to warn the user or terminate the connection before any sensitive credentials are submitted, directly mitigating the phishing attack.

A. MAC: This is a Mandatory Access Control model, an internal system security policy that is irrelevant to protecting external customers from fraudulent websites.

C. Three-factor authentication: This strengthens user-to-server authentication but does not authenticate the server to the user. A user can still be tricked into entering all three factors into a fake site.

D. Two-factor authentication: Like three-factor authentication, this secures the user's login but does not prevent the user from submitting their credentials to a convincing phishing website.

---

1. National Institute of Standards and Technology (NIST). (2017). Special Publication (SP) 800-63-3: Digital Identity Guidelines.

Section 5.1.1

"TLS for Confidentiality and Integrity

" Page 17: "The use of TLS protects the communications from eavesdropping and tampering. It also provides authentication of the CSP [Credential Service Provider] to the claimant

which can help to mitigate phishing and man-in-the-middle attacks." This highlights that authenticating the server (the bank) to the user (the claimant) is the key defense against phishing.

2. Rivest

R. (2017). 6.857 Computer and Network Security

Fall 2017 Lecture Notes. MIT OpenCourseWare.

Lecture 15: Network Security I

SSL/TLS

Page 4: The lecture notes explain that a primary goal of SSL/TLS is for the "client [to] want to verify server’s identity." It explicitly states this "Prevents man-in-the-middle (MITM) attacks

" which is the mechanism used by sophisticated phishing sites.

3. Dierks

T.

& Rescorla

E. (2008). RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2. The Internet Engineering Task Force (IETF).

Section 1

"Introduction

" Page 2: The document states that one of the primary goals of the TLS protocol is authentication. "The server is typically authenticated

while the client is optionally authenticated. This is referred to as one-way authentication. It is also possible for both the client and the server to be authenticated. This is referred to as mutual authentication." The server authentication piece is what prevents the phishing attack.