Monday, July 31, 2006

Preventing Phishing Attempts

I give props to ING Direct, who is really taking a stand against phishers. ING Direct is a US-based online bank. They just released a new login process which makes the protecting the customer's identity its top priority.

This is their description of their new security feature:

Introducing a whole new way to feel safer.

Our new state-of-the-art security feature is a way to make you feel even more secure when you login.
By adding this new layer of security, you get added peace of mind that you are on the authentic ING DIRECT website ( No other user or website would know what image and phrase you choose – only you and ING DIRECT know.

Here’s how it works.

You will be asked to select an image and create a phrase when logging into your account. Images can be chosen from our library of images and the phrase you enter can be any words you choose, such as “Home Run” or “Dream Car.”

The enrollment process is easy and will take a minute or two. And you will only have to do this once. After enrollment, when you login, your image and phrase will be displayed so you’ll know immediately that it’s safe to enter your Login PIN. To make your login experience even easier, you can “register” your computer with us, so that the next time you login from that computer, we will recognize you.

Their login process goes through the following steps:

  • You type in your customer number and submit the form.

  • The next page will show an image and text phrase that you previously chose. If you do not see the image and phrase that you chose, then you either typed in the wrong customer number, or you are NOT at the real ING Direct web site.

  • If you see the proper image and phrase, then you click on your PIN using a keypad that is on the web page.

  • If you are NOT logging in from a computer that you have registered with ING Direct, then they will ask you one of 5 different security questions (such as "What is the street number of the house you grew up in?").

The image and phrase verification is used to prevent phishing. If someone sets up a fake web site and they are trying to get you to type in your password, then they would need to know your selected image and phrase to get you to continue with the login process. Of course, this assumes that the consumer knows why they are being asked to select an image and phrase. If the person sets up a fake site and just ask for your customer number and PIN and you forget that you were supposed to see the image/phrase, then you are screwed.

The on-screen keypad is there to prevent keyboard logging. This is very prevalent in places where computers are shared or in open areas. When I worked for a K-12 school district in Orange County, this came up much more frequently than you would think. Students are more devious than most adults give them credit for. You can put in a piece of hardware called a keylogger between the keyboard and the computer that will capture every keystroke that the user types in. The hacker later removes the hardware and goes through the stored logs of key presses. If the hacker knows your username, this makes the search easy. They just search for [username]+TAB and then the next set of keystrokes is the user's password.

There are already a few things that a user should expect when logging into a web site. If they do not already expect these things, then no amount of security will protect them:

  • The protocol that the web site should be https instead of http.

  • They should see the yellow padlock in their browser indicating that the communication channel is secure and that the SSL certificate is valid.

  • When they type in their password, the password is not echoed on the screen. It will show up as asterisks instead.

I really think that the login process will dramatically change over the next few years. Most people don't know why they have a CVV number on the back of their credit card, but they learned what it was when online retailers started demanding it. Most people don't know why most websites have email verification as part of their registration process, but they have learned to expect it. Users will need to educate themselves in order to keep their identities private. Phishing is one of the most prevalent forms of hacking that I have seen in the last 5 years. Security precautions like the ones ING is implementing will slowly become a standard across the internet.


Post a Comment

<< Home