Gone Phishing

Oh how I adore semi-clever titles that can only be made mildly humorous by mentioning them in the first line of the post they sit atop.

Kim Cameron has released his Sixth Law of Identity, this one relating to the human component of an identity system, most specifically phishing attacks.

Phishing is generally the practice of tricking a user into entering her authentication credentials into a site that is a duplicate of one that she trusts for the purpose of harvesting their authentication credentials, usually done by mass-emailing tricky URLs to the duplicate site stating that she needs to update some data, and has been a rapidly growing trend in recent times.

Why do you care? Well, if you are a frequent user of the internet (and you would have to be to be reading this, I’m not linked to enough for somebody to ‘stumble’ onto my site) phishing has probably been attempted on you, and with any luck you have avoided it. Not everybody is so lucky.

In his post, Kim brings up a very interesting aspect to a digital identity system:

“… we have done a pretty good job of cryptographically securing the channel between web servers and browsers – a channel that might extend for thousands of miles.  But we haven’t done a very good job at all of setting up the two or three foot channel between the browser and the human who uses it.  And this is the channel that is attacked by phishers.”

After reading this Zak and I immediately went to thinking about how to address this problem, first with SXIP, and then in general. The problem, as Kim lays it out, is centered around the user not having enough meaningful information to interact with in conventional systems. We narrowed the focus a bit further, to addressing the question, “how does a user know that the site she is visiting is the one she intended on visiting?”

So, how does a user know that she is visiting the actual site she intended, rather than a duplicate? Taking Kim’s warnings, we immediately ruled out any kind of multi-level authentication as described in my previous post related to this subject or anything that seemed like a fix regarding a current flaw that has been exploited, and instead went towards a conceptual idea that would be easily understood by the user. Here’s what we came up with…

Love at First Sight

You can be sure that a site is the one you were trying to reach if that site can tell you something about yourself before you log in. It doesn’t have to be anything important, in fact it shouldn’t be, just something that only the site would know.

When a user arrives at the site and is asked to authenticate, above the username and password input fields would sit a little piece of text that she had entered when registering, something like “your have a blue house.” The site knows which text to display based on cookie in her browser with something in it like “judy went home,” just a random bit of memorable text keyed to the bit of information she entered at registration, it could even be a phrase she had chosen.

If the site does not receive the user’s verification phrase in the cookie, it would produce a extra text box prompting the user to enter her phrase if she would like to validate that the site is indeed who it says it is. In this way, whenever the user visits a site they would have to authenticate with, such as a Homesite, if the site cannot immediately verify itself to her, she will become suspicious and can choose to enter her phrase. The proper site would give the proper response, the phishing site would not.

This concept can be conveyed in symbolic terms for the user through the imagery of telling a blind date to wear a red carnation or, for us geeks who are far too busy averting evil villains’ world domination plans to go on dates, that seen in Golden-Eye where the man picking up James Bond has to show him the tattoo.

The way that a phishing site will try to subvert this is with cross-site scripting (XSS), but I believe that by using the proper techniques any XSS attack against this system can likely be foiled to the point of harmlessness, although I am not the authority on this and invite those who may be to bring up holes and, hopefully, solutions. Also, if anybody else has seen a system related to this concept, I’d love to hear from you.

Tags: digital identity, [tag:phishing]

3 thoughts on “Gone Phishing

  1. Do you see SSL as insufficient in terms of playing a part in this solution? One of the things that SSL assures me is that I am communicating with the site that I intend to be communicating with. Aside from a few Internet Explorer vulnerabilities through the years (which I can easily avoid by not using it), there has been nothing to erode my trust in SSL.

  2. Chris, Trust in SSL relies somewhat on the browser in use, and while the vulnerabilities have been few in the past, all it takes is another one to spring up under everyone’s nose to cause considerable chaos. The idea was to be less reliant on the browser’s security model to prove that a site is trustworthy and instead to give the site itself a protocol, especially one that is easily understandable by a lay user, for demonstrating its identity.

    It is also rooted in the hopes of making such an interaction part of a digital identity system’s specifications, just as a user’s authentication method is open ended to provide a variety of possible authentication scenarios, so too should there exist a stage in the process during which the site a user may choose to authenticate with can demonstrate to the user that it is indeed the proper site; one method is seeing the little lock on the bottom of your screen and being confident that your browser hasn’t been compromised or been set on a security level below that which is required to throw a warning, and another is some form of counter-authentication, like the one I talk about here.

  3. It’s called a shared secret. The problem is it just metas the problem up a level. Now the phisher has to phish for your shared secret, rather than the shared secret of an account password, or a pin, or a credit card. It doesn’t solve the problem, except in the short term. The real problem is you need an out of band signal to authenticate the message. Anything inband is subject to spoofing of some type or another. Even if that spoofing is just a message saying “This is a real message despite what the crypto says.” The real problem is that people are gullible, and that isn’t likely to change. All you can do is warn them they’re being stupid.

Leave a Reply

Your email address will not be published. Required fields are marked *