Don’t Get Hooked by a Phish

We’ve all had them, emails supposedly from our bank, or an alert from PayPal, perhaps a purported update from Amazon, they sometimes look seriously suspicious, other times you might not be so sure. The grammar and spelling are rarely perfect, they address you as “Dear Subscriber” rather than by name and the worst of all are those that claim to have been sent from your own email address and yet ask you to login to confirm your details, username, password, social security number etc. If you ever clicked one of the dodgy links in these emails then you may have been phished – hook, line and virtual sinker!

Modern web browsers and email programs have some level of phishing protection, but it’s never perfect. You may even have installed plugins such asNoScript and Web of Trust to protect yourself in case you attempted to open a phishing link in error. But, phishers of men, women and children are very wily, they find ways and means, you have to use protection, you have to take precautions…

A research team from Greece and India has now assessed the various phishing protection measures, highlighted the pros and cons of each and devised their own solution to this growing problem in the form of what they refer to as the Password-Transaction Secure Window (PTSW). PTSW is, apparently, a cheap and efficient protection against password phishing and so-called transaction attacks in which the attack occurs after you login to a legitimate site.

 

The PTSW system provides security against password and transaction attacks by using three protective measures: It uses a virtual keyboard rather than the physical keyboard, which is vulnerable to key-loggers. It uses a security question. Thirdly it has a “key”, an image chosen by the user at setup.

The process involves several additional steps not seen with a conventional login:

1 User enters username.
2 Server responds with security question
3 User inputs the answer
4 Server sends user’s key
5 User confirms key and enters password
6 Server gives user access to the site

Such a security system may seem cumbersome but it is no more so than the kinds of logins required by many banks these days. If it were implemented and all users educated as to its presence on the financial and other sites they use, then there would be no risk of a transaction attack or their being phished. The researchers point out that the PTSW system also protects the site itself from hackers attempting to login with stolen or false credentials.

To be honest, I cannot see how this will ever work. Technically illiterate users and even those who think of themselves as being tech savvy are not going to know that they should see the special dialog boxes that PTSW presents. Kanellopoulos told Sciencetext that, “The PTSW is a simple solution that can be adopted widely and may become in the future a “standard” for website’s authentication.” That’s as may be, but there are so many different types of site around the world, how could anything like this ever become the standard that everyone knows about?

He adds that, “After the user enters his username, a passowrd transaction secure window (PTSW) must be appeared where user’s and website’s authentication will be completed. If a PTSW will not appear, then the authentication of the website cannot be completed and the user must not enter his password. That means that various websites that do not adopt the PTSW solution must be faced potentially as illegimate.” But, that does not sound like any kind of solution it would simply mean that millions of people and thousands of sites would be strangers to each other…I’m yet to be convinced.

 

Dharmendra Choukse, Umesh Kumar Singh, & Dimitris Kanellopoulos (2011). An intelligent anti-phishing solution:
password-transaction secure window Int. J. Internet Technology and Secured Transactions, 3 (3), 279-292

This article has been reproduced from Sciencetext technology website. Copyright David Bradley.

 

 

© 2017 – 2016, City Connect News. Copyright Notice & Disclaimer are below.

Related articles:

About David Bradley Science Writer

David Bradley has worked in science communication for more than twenty years. After reading chemistry at university, he worked and travelled in the USA, did a stint in a QA/QC lab and then took on a role as a technical editor for the Royal Society of Chemistry. Then, following an extended trip to Australia, he returned and began contributing as a freelance to the likes of New Scientist and various trade magazines. He has been growing his portfolio and and has constructed the Sciencebase Science News and the Sciencetext technology website. He also runs the SciScoop Science Forum which is open to guest contributors on scientific topics.
Tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.