For PassMark, Image Is Everything in Phish Foiling

With the online scam known as phishing becoming a bigger threat, some vendors are advocating remedies beyond consumer vigilance by developing techniques that require e-mail senders to prove they are who they claim to be.

Bill Harris, formerly the chief executive at PayPal Inc., says the best protection is to come up with something that, unlike a logo, criminals cannot copy. If phishers cannot put together a convincing e-mail, he says, nobody will visit a spoofed Web site.

Mr. Harris, now the chairman and a co-founder of PassMark Security LLC, unveiled his venture's flagship product last month. It takes the most basic concept in online security and turns it on its head: If Web sites can ask for passwords from users, why can't users ask for passwords from Web sites?

The key is a password that is easy for users to remember - because it is not a word at all. "People remember pictures," he said. "They don't remember names; they remember faces."

Consumers can upload a familiar image such as a photo of a pet or a family member, or use a randomly assigned picture. When they want to log onto a Web site, the image is presented after they enter their name but before they type a password.

Phishers may be able to copy a bank's logo, Mr. Harris said, but the scam falls apart when you know to expect a picture of your new puppy.

Such a tool might have saved Mr. Harris some frustration several years ago. At the start of 2000, when he was the chief executive at PayPal, it was hit by a phishing attack. The fraudulent e-mail directed victims to www.paypa1.com, where some were tricked into revealing account information.

PayPal executives discovered what was different about the Internet address: The figure 1 had been substituted for the lowercase "L" in their company name. In a browser they looked almost identical.

"The URL looked completely legitimate," Mr. Harris said.

But using easy-to-remember pictures has a downside. "It slows down the process," said Avivah Litan, a vice president at the market research firm Gartner Inc. in Stamford, Conn. Many companies may be reluctant to add an extra step to the log-in process, she said.

WholeSecurity Inc. picks up where PassMark leaves off. Its Confidence Online product can examine computer activity to detect keyloggers, a particularly nasty type of virus that secretly stores everything a victim types, looking for log-on passwords that are later transmitted to criminals.

Cyota Inc. is offering a suite of anti-phishing services, FraudAction, which includes risk assessment to analyze a bank's preparedness for an attack, continuous monitoring of the Internet with real-time detection, and various countermeasures. Phishing is "the perfect Internet crime, and it's growing rapidly," said Naftali Bennett, Cyota's chief executive officer. "Virtually all the U.S. and U.K. banks have been hit."

PostX Corp. in Cupertino, Calif., is developing a plug-in, Trusted Dialog, which can examine incoming e-mails - even browser-based messages - for threats. It uses a simplified form of Public Key Initiative encryption, which has been in limited use since the 1980s. But the software is optional and protects only customers who install it.

Microsoft Corp. is developing an Internet "caller ID" update, , expected at midyear, for its Windows XP operating system. It would verify the identities of Web sites, but would require the widespread participation of the companies that own sites at risk.

An even more complex approach is RSA Mobile, from RSA Security Inc., which adds another step to the log-in process by sending a unique code to a consumer's cell phone as a text message. The code must then be entered into the computer. This costs time and effort but is immune to keystroke loggers, because part of the log-on is constantly changing.

Though such products add security, they prolong the log-in process. "The simpler it is, the less secure it is," Ms. Litan observed.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER