Just as phishing is getting noticed as a big problem, so a raft of solutions is appearing on the horizon.
Here’s another: PassMarks. Here’s how it works. When a customer logs on to his banking website, a personalized image known only to the customer and the bank appears. If the customer doesn’t see the passmark – an image the user can remember and easily recognise – then the site is not the real thing. If he does, it’s safe for the customer to enter his password. PassMarks could also be used to authenticate email from the bank to the customer.
Not a bad solution. Elegant, and simple. PassMarks would work most of the time, because the user is going to be suspicious if he doesn’t see the PassMark, and just will not sign on. And it makes sense to use an image, something that is hard to fake and easy to remember.
The problem, as I see it, is this: Most phishing attacks work by a combination of social engineering tricks and nifty programming. All of these play on the curiosity, gullibility and lack of tech savvy on the part of the user. Here’s an example of how PassMarks might be bypassed:
Phishing trojan: A legitimate looking phishing email arrives late on Friday, apparently from the bank. It explains the absence of a PassMark in the email saying the bank’s servers are down and the database has been corrupted. The email requests the user to either phone the bank on Monday morning, or, if the customer needs to access his bank account before then, visit this link and reactivate or select a new PassMark. The user, in a hurry and persuaded by the sensible advice, does the latter, and on the dodgy phisher’s website either selects a new PassMark (informing the phisher of the PassMark and thus rendering the defence useless) or unknowingly downloads a trojan keylogger which then captures the password when the user is passed onto the legitimate banking website.
This illustrates one of the underlying problems with all defences against social engineering attacks. Social engineering plays on the victim’s sense of what sounds right, as well as their desire to avoid a problem. If you tell a user ‘we never send emails asking you for your password’, for example, that will work until they receive another email saying the situation has changed. A phisher, for example, sends a kosher-looking email saying ‘Your bank account may have been compromised. Please do not give out your password. Please visit the banking website here [link to dodgy site] to confirm that you have not given out your password.’ User then visits dodgy website, is lulled by layers of ‘security’ into confirming password to enter account to check it hasn’t been compromised. Account is now compromised.
This is how phishing works. It evolves, adapting to new realities, both social and technical. Extra layers of authentification are good — I’m not saying PassMarks is a bad idea — but I worry that folk like PassMark underestimate the problem and their adversary. As they say on their website, phishing “is a game for con artists, rather than computer hackers.”