Glenbrook Partners has updated their phishing analysis.  It's a must read for executives concerned about online fraud.

Meanwhile, PassMark has finally unveiled itself with an announcement (and demo) of new countermeasures against phishing attacks.  PassMark was founded by Bill Harris, former CEO of Intuit and PayPal.

The frog and the text in red are PassMarks.

Their solution is similar to Personal Assurance Message (PAM) used in 3D-Secure, the standard underlying Verified-by-Visa and MasterCard SecureCode programs.  PAM works by asking the cardholder to enter a text string during registration (aka enrollment) which is displayed on the PIN entry page.  For the card issuer to find the text string entered by the cardholder, the cardholder must provide a creditcard number to the merchant initiating a 3D-Secure transaction.

In addition to a text string, PassMark uses a picture selected or submitted by the user.  Like 3D-Secure, PassMark needs a way to identify the user.  The user enters their name in the demo, but there are other means although having a client-side component opens up the possibility even more.

While PassMark is not foolproof against phishing, it does minimize the scalability of phishing attacks drastically and provides visible security, an important feature that security experts often overlook or underestimate the importance of.

Re scalability of phishing attacks

Before a phishing attack can be made, user-specific images (aka PassMarks) must be scraped from the PassMark protected site with bogus login attempts.  Sudden spike in failed login attempts alert the site and appropriate defensive actions will be made before the attacker can build a substantial database of PassMarks.  The attacker can't trickle bogus login attempts over time either because PassMark is not displayed unless preliminary weak identification of the user is made (i.e. user name).

As to the defensive measures, one method is to ask the user to select/submit two pictures, one for immediate use and another for when an ongoing phishing attack voids the first picture.  I am sure if PassMark does this though.

Also See: Posts about Phishmarking.

One of the issues one has to be careful with while implementing phishmarked UI is noticeability: if the user doesn't notice the phishmarks, they are useless.

The URL displayed in the browser toolbar and the golden lock at the bottom can be seen as weak phishmarks.  The URL is stronger than the golden lock because it varies depending on the site and the page being displayed while the golden lock depends on nothing except the underlying communication protocol being used.

As to their noticeability, both are positioned away from the area the user is interested in, forcing the user to remember to glance up and down.  It's not that glancing is difficult or laborous.  It's remembering to do so that is difficult, particularly when the user is in a task-oriented mindset such as buying something or logging into their bank account.

When a user is faced a login screen like the one shown below, the user is already intent on seeing the pages protected by the password.  If a eye-tracking test is done, the results will show that most of the users will stop briefly over the bold 'login' and then move on to 'username', 'password', and the 'submit' button before moving back to the the two text fields and readying their fingers to type.

What about the browser frame and the rest of the page?  Well, they simply fade in his mind just as the face a bald man fades.  So phishmarks outside the area the user is focusing on is not as effective as those inside.

I chose to protect the password field with phishmark because, well, protecting passwords from phishing is a good idea. :-)  Beside the obvious, the password field can be littered with other graphics with less problems than other UI components because it is used to display only how many characters were typed.

Here is the version using phishmarked password field: 

The background shows a muted 2D fractal landscape that is specific to the user.  The landscape will change over time depending on frequency set by either the user or the IT department.  The phishmark will not be displayed if the password field is on a page not originating from a legitimate site.  As to exactly how this can be done, there are many ways to do it.  BTW, this is a patent-heavy minefield so be careful where you step.

The background could also be site-specific but I think a separate site-and-user specific graphics selected by the user should be overlayed over the user-specific background.  For example, Orkut could let the user select a memorable character out a random selection (i.e. Yamaguchi-like characters) and map it to the user using one of several (possibly patented) techniques.

This is how it would look after user typed the password.

Anyhow, if you need help with phishmarking or phishing in general, let me know (click on my picture).  Despite all the entreprenural activities, I am also a consultant in rather embarrasingly wide range of technologies, security and UI among them.

[Find related posts].

Update:

Please read the post about PassMark patent that could affect phishmarks.

If you are a NET developer, you will be interested to know that CodeSmith 2.5 is hot off the grill with following changes:

• Full blown IDE for editing templates.
• Tons of improvements to CodeSmith Explorer.
• New help content to help get you started.
• It should now be possible to run CodeSmith as a non-Administrator user.
• Dramatically improved compiler performance on templates.
• Lots of new sample templates and applications.
• Schema Explorer now provides access to even more schema information including extended properties.
• Too many other minor enhancements and bug fixes to list.

I am installing right this moment.

I just ran across this nice set of Longhorn UI related articles, officially titled Aero User Experience Guidelines: Sampler for PDC 2003.  Links to the meat are under What's Inside? heading.  Some good ideas, some questionable, but all good looking.  I am starting to get a little sick of all the gradients though and the huge titlebar seem wasteful.  I wonder what usability tests caused them to make the title bar much bigger?

Two interesting posts from Omar Shahine.

He discusses IMAP client development issues he encountered while implementing IMAP support in Microsoft's Entourage (?) and has this to say about Thunderbird (Mozilla e-client still in development):

Thunderbird is an almost perfect IMAP client for Windows. If you use IMAP, this is the product for you.

He also points to a nice table showing the effect of HTML DOCTYPE settings on the CSS Box Model (read layout depends on DOCTYPE).

This post describes variations of an idea that reduce the vulnerability discussed in Visual Spoofing and Visual Illusions posts.

Below is an example of a phishing attempt using the visual spoofing techinque (clickthrough to see it fully).  It shows a browser window containing an image of a explorer window and an fake HTML form inside a DIV section.  While wary experienced users will catch on to what is going on, naive users are not likely to.

The idea of phishmarking is to introduce features to the UI that clearly distinguish the real UI from the fake UI.  Appearance of the feature should vary depending on on who (user), when (time), and possibly what (site).  Site dependent feature is a big topic so I'll discuss it in future posts.

When I came up with the idea of phishmarking, I was thinking about tigers, so I originally thought of using tigerprint-like patterns to be embossed into the background of UI components like toolbars and titlebars.  Other patterns will work just as well as long as the pattern is not a simple geometric shape and has some random elements to it.  I call these patterns phishmarks.

Note that phishmarks doesn't have to be present all the time on the UI as long as the phishmark appears briefly within the time frame that typically takes to be fooled by a fake UI.  In fact, I recommend brief display of animated (to draw attention) phishmark over static phishmark which could clutter up the UI.

A simple, easily implemented, form of phishmarking is changing UI colors.  But this technique is not as effective as using animated phishmarks as you can see for yourself in the following screenshot.  It's same as the screenshot above except I have changed the UI theme from default blue XP theme to silver XP theme.

In this example, the color change was not drastic enough to cancel the illusion created by the fake UI and the power of branding (logo, graphics, layout).  Making more drastic color changes is possible, but not without affecting aesthetics negatively.  More research is needed in this area to find the right balance between protection against phishing and aesthetics.

I have other ideas related to visual spoofing and visual security and will post them in the near future under the Secure UI series.  Stay tuned.

See Also: Visual Spoofing, Visual Illusions

Update:

Please read the post about PassMark patent that could affect phishmarks.

Here is a post about Friendship Circle in German with a another diagram.

Wouldn't it be nice to have these sort of visual people organizer for e-mail clients and other tools?

BTW, I really get a kick out of seeing references to my post in foreign languages.