SiteKey tries to counter phishing

* How SiteKey's anti-phishing method works

The Anti-Phishing Working Group (APWG) continues to publish its regular reports on phishing, the practice of sending potential victims misleading e-mail messages directing them to fraudulent Web sites that look like official Web pages, usually for financial institutions such as PayPal or e-commerce sites such as eBay.

The APWG Phishing Trends Activity Report for December 2006 is full of startling details. For example, did you know that in December, there were 23,787 unique phishing reports to the group? That there were 28,531 unique sites involving 146 unique brands hijacked by criminals (of which 16 comprised the top 80%)? Another interesting result was the graph on the top 10 countries hosting phishing sites: No. 1 was the U.S. (25%), followed by the Republic of (South) Korea (16%) and then China (14%) for a total of about 55% of all the sites in the world.

I performed a simple parametric linear regression of phishing reports against month; the growth in the period studied was about 888 additional reports per month, and the regression was statistically significant {the F-test with [1,11] degrees of freedom for the analysis of variance was 19.035 (p = 0.0011)}.

Recently I ran into an interesting anti-phishing method that can be applied to any Web site. The method came to my attention when my old MBNA Visa card was transferred to Bank of America (BoA). When I signed up for online payments of my Visa bills (I hate sending paper checks by mail), I had to go through a novel registration process involving something called a SiteKey.

It seems that in mid 2005, BoA announced that it would use SiteKey in the hope of reducing the effectiveness of phishing attacks. Basically, SiteKey tries to authenticate a Web site to the user.

The method starts by having the user register as one would expect, with user identification and user authentication codes. However, SiteKey then presents the user with a large number of possible images in many categories (animals, sports and so on) from which the user chooses a memorable picture.

The user then attaches a presumably unique label to the picture - a label that helps the user recognize the picture in future visits to the Web site. The picture is flashed on the screen as a function of a secure cookie stored on the specific computer registered by the user for primary use with the account.

The user does not authenticate to the Web site unless the picture and label match their recollection of what they chose during registration. Lacking knowledge of the particular picture and label corresponding with a specific computer, a criminal setting up a phishing site would be unable to tailor the fraudulent Web page to the individual visiting it, thus alerting the visitor that (s)he was in fact not on the real BoA Web site. (FAQ)

In my next column, I’ll summarize some problems with SiteKey.

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022