Oh how I adore semi-clever titles that can only be made mildly humorous by mentioning them in the first line of the post they sit atop.
Phishing is generally the practice of tricking a user into entering her authentication credentials into a site that is a duplicate of one that she trusts for the purpose of harvesting their authentication credentials, usually done by mass-emailing tricky URLs to the duplicate site stating that she needs to update some data, and has been a rapidly growing trend in recent times.
Why do you care? Well, if you are a frequent user of the internet (and you would have to be to be reading this, I’m not linked to enough for somebody to ‘stumble’ onto my site) phishing has probably been attempted on you, and with any luck you have avoided it. Not everybody is so lucky.
In his post, Kim brings up a very interesting aspect to a digital identity system:
“… we have done a pretty good job of cryptographically securing the channel between web servers and browsers – a channel that might extend for thousands of miles. But we haven’t done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it. And this is the channel that is attacked by phishers.”
After reading this Zak and I immediately went to thinking about how to address this problem, first with SXIP, and then in general. The problem, as Kim lays it out, is centered around the user not having enough meaningful information to interact with in conventional systems. We narrowed the focus a bit further, to addressing the question, “how does a user know that the site she is visiting is the one she intended on visiting?”
So, how does a user know that she is visiting the actual site she intended, rather than a duplicate? Taking Kim’s warnings, we immediately ruled out any kind of multi-level authentication as described in my previous post related to this subject or anything that seemed like a fix regarding a current flaw that has been exploited, and instead went towards a conceptual idea that would be easily understood by the user. Here’s what we came up with…
Love at First Sight
You can be sure that a site is the one you were trying to reach if that site can tell you something about yourself before you log in. It doesn’t have to be anything important, in fact it shouldn’t be, just something that only the site would know.
When a user arrives at the site and is asked to authenticate, above the username and password input fields would sit a little piece of text that she had entered when registering, something like “your have a blue house.” The site knows which text to display based on cookie in her browser with something in it like “judy went home,” just a random bit of memorable text keyed to the bit of information she entered at registration, it could even be a phrase she had chosen.
If the site does not receive the user’s verification phrase in the cookie, it would produce a extra text box prompting the user to enter her phrase if she would like to validate that the site is indeed who it says it is. In this way, whenever the user visits a site they would have to authenticate with, such as a Homesite, if the site cannot immediately verify itself to her, she will become suspicious and can choose to enter her phrase. The proper site would give the proper response, the phishing site would not.
This concept can be conveyed in symbolic terms for the user through the imagery of telling a blind date to wear a red carnation or, for us geeks who are far too busy averting evil villains’ world domination plans to go on dates, that seen in Golden-Eye where the man picking up James Bond has to show him the tattoo.
The way that a phishing site will try to subvert this is with cross-site scripting (XSS), but I believe that by using the proper techniques any XSS attack against this system can likely be foiled to the point of harmlessness, although I am not the authority on this and invite those who may be to bring up holes and, hopefully, solutions. Also, if anybody else has seen a system related to this concept, I’d love to hear from you.
Tags: digital identity, [tag:phishing]