Dynamic Security Skins

July 8, 2005 by Ping

This paper proposes a scheme called Dynamic Security Skins to combat phishing.

Rachna calls phishing the “ultimate SOUPS problem” because phishers and security designers battle in the user interface, because attacks are rapidly evolving, and because it’s a real-world problem.  Phishers rapidly iterate on HCI designs, exactly as we are taught to do in HCI, to discover the best ways to exploit human limitations.

The technique here is a proposed solution to phishing that involves changes on both the browser and server.  There are two parts:

  1. The user chooses a personal image to be used as the background for login forms.
  2. The user compares a pattern in the login form to a pattern displayed in the page border to verify that the connection is encrypted.

The talk compared DSS to the SiteKey and Petname schemes. SiteKey requires the user to select a secret image, which is shared with the server. The Petname toolbar requires the user to assign a label to the site, which is stored only locally.

The concern with the SiteKey scheme is that, because the image is transmitted to the server, it is vulnerable to attack. The concern mentioned with both schemes is that the user is required to perform customization. However, I’m doubtful that user customization can be entirely avoided.

I think part 1 of this scheme is a good idea. As long as the personal image is stored only locally and the user selects the personal image, this is a decent way of establishing a trusted path.

My main issue with DSS is part 2. The matching patterns show that the connection is encrypted, but don’t tell you anything about who you are talking to. This leaves you vulnerable to impersonation as with today’s phishing attacks.

 

There were a couple of audience questions about whether users or companies would have objections to a tool that alters the appearance of sites. Marketers might complain that it interferes with branding, for example. I think there’s a worthwhile general question to be addressed about how to come up with solutions that are acceptable to the companies that have to implement them (banks, browser vendors, and possibly Internet service providers) as well as the users. It’s tough to satisfy everybody.

 

Fight phishing with Dynamic Security Skins…

Dynamic Security Skins or DSS emerged about one year ago and sparked some debate on several places. Some were critics of DSS because its effectiveness depended upon a widespread adoption both from browser developers and web site owners. It was unlikely…