No phishing

How a simple browser extension could help you ward off the Syrian Electronic Army

September 3, 2013
Obsession
Cybercrime
September 3, 2013

Shortly after several news organizations had email and Twitter accounts hacked into by the Syrian Electronic Army in May this year, Atlantic Media—which owns Quartz and other publications—ran a test to see how many of us would fall victim to something similar. We each received an email that appeared to be from Google and asked us to verify our Google accounts by logging into them at a certain link. Though it looked legitimate, the email came from a third party—in this case our own chief technology officer.

Such tactics, commonly called phishing attacks, trick people into revealing personal information, such as a password that then gives the attacker access to the victim’s email, bank accounts, Twitter, Facebook or other things. In this case, 58% of Atlantic Media fell for what was fortunately just a test. But tens of thousands of real attacks of this kind are carried out every month (pdf). Other media companies, including the Financial Times, the Associated Press and even the Onion, have fallen prey to them.

One way to prevent phishing is to check websites very carefully before keying in your username and password. But since most people don’t do that—or even if they do, may get fooled by a site called, say, gmaiI.com (with a capital I) masquerading as gmail.com (with a lower case L)—a prototype piece of software developed by by researchers at Royal Holloway, part of the University of London, does the checking for them (pdf).

The software, IDSpace, comes in the form of an extension for your web browser. It stores your login credentials for various sites (and thus, as a bonus, acts as a password manager). Every time you try to log into one of them, a little window pops up to ask if you’d like it to fill in your details for you—but only if it is the correct website. That way, you know the page is legitimate.

If such a scheme sounds obvious, that is because it is. Microsoft introduced something similar, called Windows CardSpace in 2006. In 2011, Microsoft killed the project. So why should a couple of British academics succeed where one of the world’s biggest technology companies did not?

For one thing, says Chris Mitchell, who developed IDSpace along with Haitham Al-Sinani, a doctoral candidate, the problem of phishing has become more pressing. There are now hundreds more services that now require users to register and log in (often for no reason except to get their email address.) Many websites also now let you log in using your Google, Twitter or Facebook password, so if that password falls into someone else’s hands, the potential for mischief is much greater.

The other reason this may work, Mitchell says, is that Microsoft’s system lacked the ability to work with older technologies and required a certain set of standards. IDSpace works independently—no one need even know it’s installed on your system.

Of course, admits Mitchell, it’s not foolproof. A well-crafted email could still convince you that mum really needs your online banking password. “I can’t guarantee that it will prevent such an attack,” he says. “But one of the goals is to make it more obvious who it is you’re talking to.” That at least should deter all but the most dedicated attackers.

Top News

Powered by WordPress.com VIP
Follow

Get every new post delivered to your Inbox.

Join 26,884 other followers