Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Simple Authentication Scheme Cuts Phishing, Password Theft

Police crime scene tape (Michael Melchiorre/Flickr)Computer scientists at Royal Hollaway in the U.K., a part of University of London, developed a method for verifying the identify of computer users when logging on to password-protected Web sites that reduces opportunities for stealing user credentials. Royal Hollaway professor Chris Mitchell and researcher Haitham Al-Sinani in the university’s Information Security Group describe an earlier version of their system in a paper given at a European workshop on Public Key Infrastructure in Belgium last year.

A growing security problem for computer users is phishing, where cyber thieves establish fake Web sites resembling legitimate sites, and lure unsuspecting visitors to disclose login details, as well as personal or financial information. In its latest transparency report, Google identifies more than 31,000 phishing sites in August 2013, a 50 percent increase from the same month last year. Royal Holloway says online password theft has jumped by 300 percent during 2012 and 2013.

The most common approach to authenticating Web site visitors is the user name and password, which has become increasingly problematic. Mitchell notes that some corporate sites have been able to bolster their security and in the case of some online banking services, offer individual consumers better sign-on protections. “The hope is that our technology,” says Mitchell, “will finally make it possible to provide more sophisticated technology to protect all internet users.”

That technology, now called Uni-IDM, creates a virtual identity card for each Web site that the visitor is authorized to access. Login credentials are then stored on users’ computers, which are transmitted to the Web site when the virtual cards are clicked. When users receive e-mail messages with links to the Web site — either real or spoofed — they can click on the virtual identity card with proven, safe login credentials to gain access and ignore the e-mail links.

The virtual cards come in two types: a local credential card with the username and password, or a pointer to a remote credential-issuing party, such as OpenID. The idea of virtual ID cards is not new. The authors acknowledge they borrowed the card idea from earlier work like Microsoft’s Windows CardSpace and the Higgins Personal Data Service, but those services, say the authors, support only one set of protocols for Web interactions.

Uni-IDM, on the other hand, provides an architecture that supports multiple digital identities and identity management schemes. In their paper Mitchell and Al-Sinani say the architecture is designed to be platform independent with the ability to run on Windows, Unix, Mac, and smart phone-based platforms. As of late last year, the authors report having a partial Windows-based prototype in operation.

Mitchell believes Uni-IDM should be helpful for people going online for government services, such as tax and benefits claims transactions. The need for a more secure way to conduct these transactions is underscored in the Federal Trade Commission report that nearly half (46%) of the identity theft complaints it received in 2012 involved government documents and benefits fraud.

Read more:

Photo: Michael Melchiorre/Flickr

*     *     *

Comments are closed.