eBay Account Guard

eBay just announced the addition of Account Guard feature to the eBay Toolbar. [via Payments News]  While the announcement doesn't go too much into detail, there are some interesting information in the Account Guard section of the Toolbar FAQ.

These are its features:

  1. Site Indicator – Verified Site and Potential Spoof Site: Located prominently on the toolbar, this feature displays a distinct visual indication when you are on a verified eBay or PayPal Web site, and alerts you when you are on a potential spoof Web site. The Site Indicator turns GREEN if you are on a verified eBay or PayPal Web site; RED if you are on a potential spoof site; and GREY if you are visiting an unidentified Web site. Note: this will be the most frequent indication when you are not on eBay or PayPal.
  2. eBay Password Protection: This feature warns you when you are entering your eBay password into a an unverified site even if it looks like eBay or PayPal site. The eBay Password Protection function will block the password from being submitted to the Web site – displaying an educational message about password protection – unless you affirm that you want to proceed in entering the password into the site.
  3. Report a Spoof Site. If you suspect that you are on a fake eBay or PayPal site, eBay Toolbar enables you to report the site to eBay so that eBay can take action. As soon as the report has been verified – and we confirm that the site is fraudulent – all eBay Toolbar users will benefit from having the most current information automatically uploaded to their toolbar.

Site Indicator is an example of visual security which I like.  It's not safe from Visual Spoofing though since green light is just a bunch of green pixels.  Presence of eBay Toolbar is doesn't even have to be detectable from the server-side because all hackers care about are decent yields for their efforts.  More popular the toolbar is, more easily fooled.  Having both real and fake toolbar appearing at the same time won't be a problem because the hacker can easily distract sufficient number of users away from the real one.

eBay Password Protection is more interesting because it interrupts and warns the user with an alert dialog.  Following FAQ items provide more info:

How does eBay Toolbar detect spoof sites?

eBay Toolbar detects and verifies spoof sites through a combination of technology and reports from the eBay Community. With the tremendous volume of spoof reports, eBay Toolbar leverages the vigilance of our community to enable all eBay Toolbar users to protect themselves.

How does eBay Toolbar block my password from spoof sites?

Before a user submits a password into a Web site, Account Guard reviews the submission and scans for the user's eBay password. This is done instantly and locally (on the user's computer) and does not involve sending any information to eBay. If the Toolbar detects a password match, it displays a pop up indicating that the user is about to send an eBay password to a non-eBay verified site.

eBay Toolbar alerts me every time I enter my eBay password into a non-eBay site. Why is this happening?

eBay, like most other companies, strongly encourages its users to choose unique passwords for all of the accounts (both on and offline) that they hold. The pop-up message warns you when you are about to enter your eBay password into a non-eBay site. You can disable this warning either in the eBay Toolbar preferences page, or on a site-by-site basis.

So the eBay Toolbar knows what the user's eBay password is and prevents user from submitting the password to any site not on their list of verified sites which is presumeably downloaded from eBay and updated regularly.  It makes sense to discourage users from using their eBay password elsewhere, but it's bound to annoy quite a number of eBay users, many of whom will have to change their universal passwords used at many non-eBay sites.  If it's good for ya, it's usually bitter.

The feature I like the most is the easy spoof reporting although it could create a lot of mess to clean up if misreports flood in.  I hope eBay shares their experience with Account Guard.

Levitated: Awesome

I saw this great image at Jeneane Sessum's blog and thought it was a wonderful album cover (oops, still thinking in LP mode).

Then I found out that it was generated (click-through on the picture) at Levitated using Flash.  Cool!  Then I clicked on a link and found myself with a page full of Flash-based open source computational animations and interactive paintings.  They are perfect for creating eye-candy banners for geeky websites.  A Must See!

<

p align=”left”>Need more?  Visit Complexification's gallery of computation.  I particularly liked the Buddhabrot which shows Buddha as a fractal image.

Phishing News

Glenbrook Partners has updated their phishing analysis.  It's a must read for executives concerned about online fraud.

Meanwhile, PassMark has finally unveiled itself with an announcement (and demo) of new countermeasures against phishing attacks.  PassMark was founded by Bill Harris, former CEO of Intuit and PayPal.

The frog and the text in red are PassMarks.

Their solution is similar to Personal Assurance Message (PAM) used in 3D-Secure, the standard underlying Verified-by-Visa and MasterCard SecureCode programs.  PAM works by asking the cardholder to enter a text string during registration (aka enrollment) which is displayed on the PIN entry page.  For the card issuer to find the text string entered by the cardholder, the cardholder must provide a creditcard number to the merchant initiating a 3D-Secure transaction.

In addition to a text string, PassMark uses a picture selected or submitted by the user.  Like 3D-Secure, PassMark needs a way to identify the user.  The user enters their name in the demo, but there are other means although having a client-side component opens up the possibility even more.

While PassMark is not foolproof against phishing, it does minimize the scalability of phishing attacks drastically and provides visible security, an important feature that security experts often overlook or underestimate the importance of.

Re scalability of phishing attacks

Before a phishing attack can be made, user-specific images (aka PassMarks) must be scraped from the PassMark protected site with bogus login attempts.  Sudden spike in failed login attempts alert the site and appropriate defensive actions will be made before the attacker can build a substantial database of PassMarks.  The attacker can't trickle bogus login attempts over time either because PassMark is not displayed unless preliminary weak identification of the user is made (i.e. user name).

As to the defensive measures, one method is to ask the user to select/submit two pictures, one for immediate use and another for when an ongoing phishing attack voids the first picture.  I am sure if PassMark does this though.

Also See: Posts about Phishmarking.

Corporate Blogger’s Dinner

I am planning on having a Corporate Blogger's Dinner in San Francisco some time in March.  If you are interested in such an event, please let me know via comment or e-mail (click on my picture).  I also need suggestions on when and where.

If you are wondering why someone who is not a corporate blogger hosting such an event, I want to hear what they think.  Corporate bloggers don't get to talk about their views on their blogs because of the nature of their blogs.  So I want to create a setting where they can discuss their views and issues they see on corporate blogging.

Secure UI: Phishmarked Password Field

One of the issues one has to be careful with while implementing phishmarked UI is noticeability: if the user doesn't notice the phishmarks, they are useless.

The URL displayed in the browser toolbar and the golden lock at the bottom can be seen as weak phishmarks.  The URL is stronger than the golden lock because it varies depending on the site and the page being displayed while the golden lock depends on nothing except the underlying communication protocol being used.

As to their noticeability, both are positioned away from the area the user is interested in, forcing the user to remember to glance up and down.  It's not that glancing is difficult or laborous.  It's remembering to do so that is difficult, particularly when the user is in a task-oriented mindset such as buying something or logging into their bank account.

When a user is faced a login screen like the one shown below, the user is already intent on seeing the pages protected by the password.  If a eye-tracking test is done, the results will show that most of the users will stop briefly over the bold 'login' and then move on to 'username', 'password', and the 'submit' button before moving back to the the two text fields and readying their fingers to type.

What about the browser frame and the rest of the page?  Well, they simply fade in his mind just as the face a bald man fades.  So phishmarks outside the area the user is focusing on is not as effective as those inside.

I chose to protect the password field with phishmark because, well, protecting passwords from phishing is a good idea. :-)  Beside the obvious, the password field can be littered with other graphics with less problems than other UI components because it is used to display only how many characters were typed.

Here is the version using phishmarked password field: 

The background shows a muted 2D fractal landscape that is specific to the user.  The landscape will change over time depending on frequency set by either the user or the IT department.  The phishmark will not be displayed if the password field is on a page not originating from a legitimate site.  As to exactly how this can be done, there are many ways to do it.  BTW, this is a patent-heavy minefield so be careful where you step.

The background could also be site-specific but I think a separate site-and-user specific graphics selected by the user should be overlayed over the user-specific background.  For example, Orkut could let the user select a memorable character out a random selection (i.e. Yamaguchi-like characters) and map it to the user using one of several (possibly patented) techniques.

This is how it would look after user typed the password.

Anyhow, if you need help with phishmarking or phishing in general, let me know (click on my picture).  Despite all the entreprenural activities, I am also a consultant in rather embarrasingly wide range of technologies, security and UI among them.

[Find related posts].

Update:

Please read the post about PassMark patent that could affect phishmarks.

CodeSmith 2.5

If you are a NET developer, you will be interested to know that CodeSmith 2.5 is hot off the grill with following changes:

  • Full blown IDE for editing templates.
  • Tons of improvements to CodeSmith Explorer.
  • New help content to help get you started.
  • It should now be possible to run CodeSmith as a non-Administrator user.
  • Dramatically improved compiler performance on templates.
  • Lots of new sample templates and applications.
  • Schema Explorer now provides access to even more schema information including extended properties.
  • Too many other minor enhancements and bug fixes to list.

I am installing right this moment.

Longhorn Aero UI Sampler

I just ran across this nice set of Longhorn UI related articles, officially titled Aero User Experience Guidelines: Sampler for PDC 2003.  Links to the meat are under What's Inside? heading.  Some good ideas, some questionable, but all good looking.  I am starting to get a little sick of all the gradients though and the huge titlebar seem wasteful.  I wonder what usability tests caused them to make the title bar much bigger?

Gay Marriages

Frankly, I don't see what the big deal is.  Let each state decide for themselves by popular vote.  I think California is ready.  As to polygamy and bestiality-based arguments, I am cool as long as the majority of the people in my state votes in favor.

Who knows?  Maybe computers will get so sexy looking in the future that geeks marrying their computer will be a common occurence.

Blogger’s Poker Party

Speaking of Texas Hold'em, it might be interesting to hold a Blogger's Poker Party as a variation on blogger's dinner.  Anyone has a ideal pad for such an event in the Bay Area?  Mine is too small.

Bill Burnham on RSS

Bill Burnham, who plays a VC at Softbank when he is not playing Texas Hold'em, has a clear view of where RSS is heading and what the upcoming problems are.  Read his post RSS A Big Success in Danger of Failure (I linked the version at Seed Capital Partners' The Weekly Read because Bill's version doesn't seem to have a permalink).  His view matches mine but I think he has overlooked some hidden valleys.  Added Bill to my blogroll.