Phoolproof Anti-Phishing: Is it really FOOL-proof?
NetworkWorld has this interesting article on a Phoolproof Anti-Phishing System. This systems utilizes mobile phones as secure keys for users browsing websites. Interesting? Here is a snippet from NetworldWorld on how it works:
Phoolproof Phishing Prevention system, the program provides strong authentication between the user’s browser and a Web site by using a third party – namely a cell phone or PDA – to act as authenticator, according to university officials. The idea is to keep Web users from logging into, and subsequently providing sensitive or financial information to, fraudulent sites posing to be financial institutions or retail outlets.
Using SSL, the system stores a cryptographic key for each of the user’s designated online accounts on a mobile device. When the user wishes to visit one of these sites, he or she selects the bookmarked secure site from the mobile device’s browser, which then launches a browser window on the user’s PC. The PC retrieves the Web site’s certificate and forwards it to the mobile device, which verifies it and sends along the user’s certificate.
Then, from the PC’s browser, the user logs into the site with a name and password. The site’s server verifies the user’s name, password, and certificate, and grants the user access to the site.
The same thing can be achieve if the bookmarks in one’s computer is correctly encoded and if TLS/SSL is use. However, this may be problematic if that target site is prone to TLS/SSL phishing. For even greater security, two (2) way TLS/SSL (and optionally secure browser triggered) should also be used for more comprehensive security.
Is Phoolproof Anti-Phishing enough? A drawback here (this also applies to other certificate-based anti-phishing measures) is how is the system supposed to catch phishers if the link clicked on the mobile is a phishing link? This is particularly true for first time users of a secure site. For example, I visit the site for the first time and create the book (insecure) for the first time? Definitely, this solution provides an additional level of security by using the mobile as a secure key. But, why not just use a portable browser as a secure key? Same solution, Same problems?
