Visual cues may stymie phishers

Green Armor has developed a way to generate a unique visual cue for each Web site visitor that learns - consciously or subconsciously - to associate with the genuine site. The company's Identity Cues technology, developed by CEO Joseph Steinberg, a security specialist, and his wife Shira Steinberg, company president and a psychologist specializing in learning, stands out for its simplicity: Customers don't have to register or download anything, there is no customer database to maintain, and it doesn't need cookies.

Data security breaches are becoming weekly news events, the latest involving the theft of credit card account data from CardSystems Solutions.

While storage encryption and other technologies will ultimately help protect against such breaches, security is an imperfect science so it will be impossible to eradicate the problem. Nevertheless, it isn't likely that this type of theft will result in people cutting up their credit cards.

Phishing, on the other hand, is more nefarious. While the goal is mostly the same - to purloin financial account information - the ramifications are more profound: Phishing could undermine confidence in the e-commerce systems that companies use to great economic advantage.

The high stakes have led to a boatload of technical solutions designed to ensure consumers that they are dealing with e-mail and Web sites of legitimate organizations, not forgeries designed to bilk them of personal data.

These solutions range from complex e-mail authentication schemes to the boldly simple, such as technology just released by start-up Green Armor Solutions . Green Armor has developed a way to generate a unique visual cue for each Web site visitor who learns - consciously or subconsciously - to associate the cue with the genuine site.

The company's Identity Cues technology, developed by CEO Joseph Steinberg, a security specialist, and Shira Rubinoff, company president and a psychologist specializing in learning, stands out for its simplicity: Customers don't have to register or download anything, there is no customer database to maintain, and it doesn't need cookies.

Here's how it works. When a customer logs on correctly, the process generates a visual cue, such as a small yellow box under the logon block with the word "wet" in blue letters.

"The cue is being generated mathematically using a one- way hash function and a secret key, meaning this user will always see the same cue but other users will see different cues," he says. "A phony site wouldn't be able to generate the proper cue, so the user would know something is wrong."

This is where the psychology comes in: "Cues that are chosen are visual cues, color cues that are stored in long-term memory,"she says. "The cues aren't something you have to try to remember. You will recognize them. It's based on humanistic learning."

If a phony site popped up a wrong cue, untrained users "will recognize that something is different and pause, and that would eliminate a large percentage of fraud," Shira says.

The software, which lists for $20,000 per server, is coded in C and can be deployed directly on Web servers.

Sometimes the easiest answers are the best.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies