Gone phishing

A research group at Stanford has developed an extension to popular Web browsers that completely overhauls the security of passwords.

It’s an online con that is growing fast and stealing tens of millions of dollars. An e-mail seemingly from a financial institution instructs you to log on to a legitimate-looking Web site. Such “phishing” attacks exploit a universal weakness in online security: passwords.

“Phishing attacks fool users into sending their passwords, in the clear, to an unintended Web site,” says Dan Boneh, an associate professor of computer science and electrical engineering at StanfordUniversity. “Since Internet users often use the same password at many Web sites, a phishing attack on one site will expose their passwords at many other sites.”

Boneh and computer science Professor John Mitchell say they can change all that. Their research group has developed an extension to popular Web browsers that completely overhauls the security of passwords with only the slightest change in the daily Web-surfing experience – one or two keystrokes before entering a password activates their software.

Mitchell, Boneh, and their students described the extension, named PwdHash (short for “Password Hash”), at the 14th Annual Usenix Security Symposium in Baltimore at the end of July. It is one of three tools the pair has devised to combat phishing.

PwdHash works behind the scenes to irreversibly encrypt a user’s password in a way that is unique for every Web site. “Hashing” a password means combining the typed password and the site’s domain name in an algorithm that outputs a unique password that bears no traceable resemblance to the typed one.

The hashed version produced by PwdHash for a phishing site therefore bears no resemblance or clues to the hashed version that is valid at the legitimate site. Meanwhile, the user simply has to remember the familiar typed password. When a potential phishing victim unwittingly enters his eBay password at a phony site posing as eBay, PwdHash generates a new password for the phisher’s site, so the phisher ends up gathering something totally different than what is actually needed to log in at eBay.

To tell PwdHash to do the hashing, the user only has to type “@@” or the F2 key before typing the password

To get the benefit of PwdHash’s protection, users will have to change their passwords using PwdHash at sites where they have accounts. But users can do this at their own pace, Mitchell says. Besides, changing passwords is something people should do anyway, say the computer scientists. “It’s a good idea to change your password in case somebody discovers it,” Mitchell says. “It is also part of making sure that you are using different passwords at different sites.”

Boneh hopes that major technology companies – and the Stanford researchers have met with several – will adopt PwdHash and help distribute it broadly.

Of course, like all security software, PwdHash is not perfect. For example, it does not work for the AOL browser and cannot protect users who have unwittingly downloaded software that can read their keystrokes as soon as they type them. Some phishing sites trick users into downloading such software.

But that’s where other tools from Boneh and Mitchell can help. SpoofGuard, another browser extension, can recognize illegitimate pages and warn users when they visit them. After installing SpoofGuard, a user would only have to watch his or her screen to avoid many phishing sites. PwdHash would then be the second line of defence.

SpoofGuard uses several cues to determine whether a site is questionable. It will suspect pages with names similar but not identical to major ones (e.g., www.ebay.com or www.paypal.com), pages with numerical rather than text addresses, pages with images that are known in a database to be associated with other addresses (such as corporate logos) and pages that are not already in the user’s history list.

SpoofGuard will even warn users who are visiting pages already known to the anti-phishing community. Finally, it will “watch” as users type in passwords. If the password is being entered at a site different than the one it associates that password with, SpoofGuard will warn the user.

Another tool Boneh and Mitchell are currently developing, called SpyBlock, is meant to directly combat the keystroke reading software that phishers try to distribute.

Unfortunately, users always will have to be vigilant about Internet scams and how to protect themselves, Boneh says. “There is not going to be a silver bullet against phishing,” he says. “It’s going to be a collection of defence mechanisms that hopefully can work together to prevent the problem.”