Deploying psychology in the fight against phishing

Fran Howarth

Written By:
Published: 15th July, 2005
Content Copyright © 2005 Bloor. All Rights Reserved.

The word phishing is based on the traditional sport of fishing - people put out hooks, hoping that someone will take the bait. The most usual form of phishing is when e-mails are sent to consumers containing a link purporting to direct them to a web site, such as that of their bank. Consumers will usually be told that there is some problem with their account, such as a problem with a recent statement.

These e-mails will be designed to mirror normal communications from the bank in question, using its logos and perhaps containing legitimate links to the real web site. However, to solve the supposed problem with, in this example, the bank statement, the e-mail recipient will be asked to click on a link that ostensibly takes them to the bank's help site. Here they will be asked to confirm or enter personal details - perhaps account numbers or passwords. These details can then be used to steal the e-mail recipient's identity.

For individuals, that is a daunting prospect and one that an increasing number of people are experiencing. But companies also stand to lose a great deal in terms of damage to their corporate reputation. If a customer has been the victim of such a scam, they will be less willing to trust the bank or other service provider and they may even be persuaded to switch to another provider. But, if large numbers of customers are affected, stories will leak into the press, perhaps causing the share price of the company which has had its web site spoofed to tumble.

Many technology vendors are grappling with the problem of how to stop phishing attacks, for example by offering domain key technology in combination with reputation filters, looking for unusually large amounts of traffic from a particular e-mail address and throttling the traffic. This works well in environments handling large amounts of outbound e-mails and associated spam.

But one technology vendor has come up with a neat solution that can be deployed at low cost to restore consumers' faith in corporate web sites. As hackers are increasingly using social engineering methods to try to get consumers to divulge personal information, technology start-up Green Armor from the US is deploying psychological techniques to engender users' trust.

Called Identity Cues, a visitor to a web site is presented with a visual cue every time that they log on to use the services of that web site. These cues take the form of a coloured box next to the log in part of the screen with a three letter word in another colour. For example, this may take the form of a yellow box with the word 'cat' appearing in purple lettering.

The technology requires that no software be downloaded by a user, their details do not need to be stored in a database and no cookies are placed on the computer that they are using. They do not even need to remember the identity cue that has been mathematically generated and assigned to them as tests have shown the users will automatically remember the cue that they have been prompted with before. If a different colour combination or word is offered to them, they will automatically realise that something is wrong - indicating that the web site has been spoofed.

Green Armor's CEO Joseph Steinberg did consider using pictures assigned to each individual that pop up when they attempt to log into a web site, but that would require that a massive database of images be maintained, adding to the burdens of over-stretched corporate networks.

The technology appears to be simple and could prove to be effective in the fight against fraud caused by phishing attacks. But a couple of questions remain: how many identity cues will consumers have to remember as they come into common use and consumers increasingly use a wider range of web-based services? And, it may seem obvious, but how will this work with people who are colour blind?

Post a comment?

We welcome constructive criticism on all of our published content. Your name will be published against this comment after it has been moderated. We reserve the right to contact you by email if needed.

If you don't want to see the security question, please register and login.