CyLab researchers at Carnegie Mellon University (CMU) have developed a new anti-phishing tool to protect mobile users. Their Phoolproof Phishing Prevention system can prevent users of cell phones, PDAs or even laptops from network-based attacks, even when they make mistakes. This system is based on a really simple concept. It provides a secure electronic key that the user can access while making online transactions. But the user can't give this key to someone else, especially to a phisher who could have found a way to access his account. Read more...
This system has been developed at CMU's CyLab by a team led by Adrian Perrig who explains why he decided to create this service.
"Essentially, our research indicates that Internet users do not always make correct security decisions, so our new system helps them make the right decision and protects them even if they manage to make a wrong decision," Perrig said.
Here is how this anti-phishing system works.
Phoolproof Phishing Prevention essentially provides a secure electronic key ring that the user can access while making online transactions[...] These special keys are more secure than one-time passwords because the user can't give them away. So phishers can't access the user's accounts, even if they obtain other information about the user, researchers said.
Images are always better than words, so below is a description of what would happen if an hypothetical Alice decided to access her account online after registering with the Phoolproof system. (Credit: CMU)
It remains to be seen if this tool will be deployed by online vendors. But there are concerns in the industry about online fraud and about new security guidelines for financial institutions.
Complicating the concern for more secure financial sites is a looming deadline for new security guidelines from the Federal Financial Institutions Examination Council (FFIEC), a group of government agencies that sets standards for financial institutions. Last year, the FFIEC set a Dec. 31 deadline for banks to add online security measures beyond just a user name and password. Failure to meet that deadline could result in fines, the FFIEC said.
For more information about this project, you can read this technical paper about Phoolproof Phishing Prevention(PDF format, 16 pages, 181 KB).
Sources: Carnegie Mellon University news release, August 31, 2006; and various web sites
You'll find related stories by following the links below.