5

What is your suggested solution for the threat of website UI spoofing?

Assaf Lavie
  • 73,079
  • 34
  • 148
  • 203

6 Answers6

5

By definition any solution that relies on the site showing you personalised information once you've logged in is ineffective against phishers. If you've attempted to login, they've already succeeded!

FWIW, I don't yet know the real answer, maybe this question will throw up some good ideas. I am however professionally involved in research into phishing, bad domain registrations, etc.

I don't believe there's any significant technical solution that web site developers can implement. Again, by definition, if your users arrive at a phishing site you're no longer in control.

This is why all current anti-phishing technologies reside in the browser, and not in the phished site.

Alnitak
  • 334,560
  • 70
  • 407
  • 495
  • No, that just means it's indeed an effective measure against pishing for sites you already have an account with. That's a big part of the solution. The fact the it doesn't solve the pre-login phase doesn't say anything about it's effectiveness afterwards. – Assaf Lavie Dec 05 '08 at 18:42
1

The key to this problem is identifying some difference between a request to the real site and a request to the spoof site.

The simplest difference is some cookie-based UI preference. A cookie set on your (real) site will only ever be returned to your site, and will never be sent to a spoof site.

Now there are plenty of reasons that the valid cookie might not be sent to your site, the user might be using a different computer or they might have expired/deleted cookies, but at least you can guarantee that it won't be sent to the spoof site.

Gareth
  • 133,157
  • 36
  • 148
  • 157
  • The problem with this is the so-called "downgrade attack". How can the user tell the difference between a phishing site, and a real site that for whatever reason is unable to send the required cookie. – Alnitak Dec 05 '08 at 18:42
  • 1
    The same way they would ever know - by looking at the URL. The point would be that without the customised UI they'd be wary of entering their credentials – Gareth Dec 05 '08 at 18:57
  • In any case -- as a website -- the only real information you can guarantee is only sent to your site is something cookie-based – Gareth Dec 05 '08 at 19:03
  • Thanks, the rook. Let me (and other readers) know what you would improve about it :) – Gareth Jun 20 '10 at 21:31
1

I think the only answer here is to program better people.

Doing things like customizing the appearance or uploading an image only work if the user in questions actually recognizes when these things are wrong. I think the majority of users would never recognize these things except for sites they visit a lot. Even if they did they may attribute it to a change in website design and not a phish.

Flory
  • 2,849
  • 20
  • 31
0

One solution is to customize the web site per user. Spoofing only works when users have basically the same view of the website (one spoof - many victims). So if, for example, eBay would let you configure a custom background color, you should be able to notice that the page you're viewing is some spoof (that won't know your choice of color). A real solution is a bit more complex (like maybe a secret keyword configured in the browser that only the browser can render within password controls or into the url bar, etc.), but the idea is the same.

Customize the UI per user so spoofing (which relies on most users expecting to see basically the same UI) stops working. It can be a browser based solution, or something web sites offer to their users (some already do).

Assaf Lavie
  • 73,079
  • 34
  • 148
  • 203
  • personal customisation is no good - a real site doesn't know who you are until you're logged in, so a phisher pretending to be them would already have your credentials. – Alnitak Dec 05 '08 at 18:24
-1

I've seen some sites that let you select a "personal" icon. Whenever you log in, that icon is displayed as proof that you are on their site.

AaronS
  • 7,649
  • 5
  • 30
  • 56
  • 1
    The spoof site could easily take your login details and collect the *correct* personal icon from the real site and display it to you – Gareth Dec 05 '08 at 18:27
-1

  • You can ask a question when the user login (a question that the user has written with the answer).

  • You can display a picture after the loggin that the user have uploaded, if the user doesn't see his picture (private that only him could see) than it's not the real website.

Patrick Desjardins
  • 136,852
  • 88
  • 292
  • 341
  • These solutions still rely on you entering your credentials before you get confirmation that you're on the right site. – Gareth Dec 05 '08 at 18:29
  • ok where it's written in the question that is required to be before? – Patrick Desjardins Dec 05 '08 at 18:36
  • @Daok: The `phishing` part of the title (subtle, isn't it?) - the whole point of phishing is to collect credentials by pretending to be a legit site, right? – Ken Gentle Dec 05 '08 at 18:40
  • well if you have this mechanism that I describe you know if you got phished or not and do some action to stop it. Right? – Patrick Desjardins Dec 05 '08 at 19:32
  • 1
    But it'll be too late. By then the botnetwork owned by the phishers might already have changed passwords, wired funds, etc. – Jilles Jan 10 '09 at 14:27