Researchers from the Royal Holloway University have developed a prototype app that can help protect users against phishing attacks.
The Uni-IDM system is addressing one of the biggest weaknesses in IT-safety – the password-based login – by providing an additional interface for the user that manages the authentication process and verifies whether the website is genuine or not.
“This is done in a way completely transparently to the website; the website does not have to be aware the app is being used,” said the project’s originator, Professor Chris Mitchell from Royal Holloway’s Information Security Group.
“If the user is using a password to log on, then the app can remember the password and automatically supply it. Alternatively, if the user uses Google or Facebook to log on to the website – using either OpenID or OAuth – then the app can manage that process too, reducing the risks associated with these tools.”
Either way, the user is always using the same interface, avoiding being tricked by phishing scams, which pretend to be hosted by a trusted confidential website in order to gain access to the user's login information.
The software-based tool, stored on user’s computer, smartphone or tablet, creates electronic identity cards for each website the user accesses, which are recalled every time the user wants to log back into that site.
“The cards are purely electronic; they are a combination of software and data on a user device. The notion of a card is an analogy for the user, to offer a convenient way to handle a combination of information about a particular website and credentials for that site,” Professor Mitchell explained.
The working prototype of the tool has been introduced this week and the team is now looking for partners to help finalise the product and offer it commercially. They believe that with the cyber-threats continuously growing, it is time to find a safer solution than the conventional password-based login protection.
“We have known for a long time that the username and password system is problematic and very insecure, proving a headache for even the largest websites,” Professor Mitchell said. “LinkedIn was hacked, and over six million stolen user passwords were then posted on a website used by Russian cyber criminals; Facebook admitted in 2011 that 600,000 of its user accounts were being compromised every single day.”
According to available data, some 37.3 million people have been affected by phishing in the past year while the incidence of password theft has risen by 300 per cent during the same period. Among the victims of phishing have recently been employees of the Financial Times or users of Google email.
“Despite that, username and password remains the dominant technology, and while large corporations have been able to employ more secure methods, attempts to provide homes with similar protection have been unsuccessful, except in a few cases such as online banking,” said Professor Mitchell. “The hope is that our technology will finally make it possible to provide more sophisticated technology to protect all Internet users.”
The team believes the UNI-IDM tool could also serve to secure protected access to government's online services, such as tax and benefits claims.