Feeds

Phishing with Rachna Dhamija

The human factor

The Power of One eBook: Top reasons to choose HP BladeSystem

DSS adds a trusted window in the browser dedicated to username and password entry. The user chooses a photographic image (or is assigned a random image), which is overlaid across the window and text entry boxes. If the window displays the user's personal image, it is safe for the user to enter his password.

We also propose a way for the server to generate a unique abstract image for each user and each transaction. This image is used to create a "skin" that automatically customises the browser window or the user interface elements in the content of a webpage. The user's browser can independently reach the same image that it expects to receive from the server. To verify the server, the user only has to visually verify that the images match. With DSS, the user has to recognise only one image and remember one password, no matter how many servers he interacts with. In contrast, other shared secret schemes require users to save a different image with each server.

How did you have the intuition to use computer generated graphics to help users recognise valid websites from fake ones?

There are two types of images that can be used in this approach. The first is real images (photographs). This is the secret image that users must choose when setting up their browser and then recognise before entering their password. There is large body of cognitive science literature that shows that humans are very good recognising images they have seen before. Our user studies showed that participants really enjoyed this recognition task, especially if they could choose their own images.

We also experimented with randomly generated images. In previous work, we proposed using the Random Art algorithm as a way to automatically generate images for a graphical password scheme call Deja Vu (which I developed with Adrain Perrig). Random Art has a nice property that it takes a bit string as input and generates a random abstract image. Given the image, it should be hard to determine the input string.

With security skins, we were trying to solve not user authentication, but the reverse problem - server authentication. I was looking for a way to convey to a user that his client and the server had successfully negotiated a protocol, that they have mutually authenticated each other and agreed on the same key. One way to do this would be to display a message like "Server X is authenticated", or to display a binary indicator, like a closed or open lock. The problem is that any static indicator can be easily copied by an attacker. Instead, we allow the server and the user's browser to each generate an abstract image. If the authentication is successful, the two images will match. This image can change with each authentication. If it is captured, it can't be replayed by an attacker and it won't reveal anything useful about the user's password.

When do you plan to release the securityskins plugin?

Currently, we have a prototype of the interface developed in Mozilla XUL, which we are improving based on feedback from our studies. Mozilla turned out to be a good prototyping tool, and allows us to rapidly iterate through interface ideas. A number of organisations have expressed interest in adopting security skins, and we have started development of an extension that can be released to the public. So stay tuned!

Should we expect to solve the problem just working on one level, either human or technological?

No, I think the solution to phishing will require advances on both levels. However, our study suggests that a different approach is needed in the design of security systems. Rather than approaching the problem solely from a traditional cryptography-based framework (what can we secure?), we have to take into account what humans do well and what they do not do well.

Do you think that so-called Web 2.0 features (Ajax in particular) could make the situation worse by providing phishers with the ability to launch complex applications from a web page?

Javascript and Ajax definitely allow attackers to create better attacks. They make it possible to simulate every element of a web browser. However, Ajax also allows more interesting web applications and security interfaces to be developed. Instead of blaming specific development techniques, I think we need to change our design philosophy. We should assume that every interface we develop will be spoofed. The only thing an attacker can't simulate is an interface he can't predict. This is the principle that DSS relies on. We should make it easy for users to personalise their interfaces. Look at how popular screensavers, ringtones, and application skins are - users clearly enjoy the ability to personalise their interfaces. We can take advantage of this fact to build spoof resistant interfaces.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Federico Biancuzzi is freelancer; in addition to SecurityFocus he also writes for ONLamp, LinuxDevCenter, and NewsForge.

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.