ALM: Application Development 2.0 - Myths and Realities

Discover 21 Ways to Use Excel with Java Applications

Actuate Leverages the Power of Open Source for Java-based Web Reporting

Guide to Effective Software Asset Management Strategies Download Strategic Licensing Management White Paper

CRC Career Resource Center

Phishing Forbidden by Naveen Agarwal, Scott Renfro, and Arturo Bejar, Yahoo!   printer-friendly format   recommend to a colleague Current anti-phishing technologies prevent users from taking the bait. A security team from Yahoo! looks at the state-of-the-art in anti-phishing technologies. Sign-in Seal

Queue Digital Edition The PDF version of the July/August issue of Queue is now online. Download here Only subscribers are able to download the Queue PDF edition. Activate your account here

Sections 1: Sign-in Seal 2: Considerations 3: Effectiveness

Phishing is a significant risk facing Internet users today.^1,2 Through e-mails or instant messages, users are led to counterfeit Web sites designed to trick them into divulging usernames, passwords, account numbers, and personal information. It is up to the user to ensure the authenticity of the Web site.

Browsers provide some tools (e.g., URL, SSL indicators, and optional toolbars), but these are limited by at least three issues:

• Users do not know which indicators are trustworthy.
• The browser indicators can be easily spoofed (e.g., by including them in the page or painting over them with chromeless windows).
• Users do not look outside their primary areas of interest. Internal eye-tracking studies done by Yahoo! on login pages showed that users see only the small rectangle bounding the username and password fields of the page. One approach to overcoming this problem is to educate users to look outside their existing comfort zone and examine existing browser indicators. Another approach, which is used by the Yahoo! sign-in seal, is to place a reliable indicator within the area users already see.

Overview of the Sign-in Seal

The Yahoo! sign-in seal is a feature that allows users to personalize a sign-in page with an image of their choice.^3,4 Unlike the Passmark SiteKey used by Bank of America,⁵ the personalization is tied to the browser/computer and not to a specific user account. This is a critical distinction that gives the two solutions quite different properties.

When signing in to Yahoo!, users who have not already personalized their sign-in page receive a CTA (call to action) prompting them to do so. This appears in the form of an image titled "prevent password theft" adjacent to the login fields of the sign-in page.

The user can create a sign-in seal from either an uploaded image or text the user provides. The text background and border colors are randomly selected, although the user has the option to change the color. If the user chooses to upload an image, it is resized in preparation for storage; if the user chooses to enter text, an image is created from the provided text. The prepared image is stored on Yahoo!'s image servers where it receives a unique ID. The image can be accessed only with a valid token that is time-limited and protected by a secret shared between the login and image servers.

After the image is stored, it is displayed in preview form. The user can make additional changes, then save it. This seal is specific to the computer being used and is not associated with the user's account. As a result, this computer's sign-in seal does not appear on other computers, unless a user happens to set up an identical-appearing seal - even then, the two seals, though they appear to be identical, would be unrelated.

Since it may not be obvious that a seal is specific to a particular computer, the user is reminded while saving the seal that it is set up only on the current computer and that the user must create seals for other computers. Yahoo! saves the encrypted unique ID in a cookie that lets the login servers later generate an image URL that contains a valid token. This image URL is embedded in the sign-in page, causing the image to be fetched from the image servers. Because a user may clear cookies without intending to, thus removing the sign-in seal, Yahoo! also caches that information via other mechanisms available in the browser (e.g., Flash Shared Object, Internet Explorer Persistent User Data⁶). This cached information is used to display the sign-in seal only when cookies are missing. There is a way for users to remove their seals through the setup page. Although it's possible for these caches to get out of sync, they are not frequently used; thus, syncing them periodically is usually sufficient.

The user is then taken to a sign-in page where the seal is displayed prominently inside the login box. At any time in the future, someone using that same browser/computer can change the sign-in seal.

next page (2/3) Considerations

Submit this story to one of the following blogs:

Discuss Phishing Forbidden

Be the first to comment on this article. Post your comment now! name: email: subject: comment: note: only <b>, <i>, and <br> tags allowed Please type in the captcha number below