September 1, 2005 Web sites that visualize images while the user enters a password could help prevent impostors from stealing personal data or money. The user would see a familiar image for every letter typed, thus being warned if they see a different one. This could prevent phishing, the cyber crime practice of masquerading as a commonly used Web site to have users type in the passwords they would use on the real site.
- Computers and Internet
- Computer Programming
- Information Technology
- Distributed Computing
WASHINGTON, D.C.--It's the crime of the future, and it's happening right now. However, now there is someone trying to stop it. Markus Jakobsson, computer scientist at Indiana University School of Informatics in Bloomington, Ind., says: "We're the good guy. We make the move. Then we go over to the other side of the table, and we're the bad guys. We make the move."
Jakobsson is working to find out what the next computer crime will be. He believes more elaborate phishing schemes are in the works. His or her target, Jakobsson says is anybody with an e-mail account.
Phishing is when criminals send you a fake e-mail to try and get your personal information. "The strongest evidence that you're being phished is that you're getting an e-mail from a bank that you don't have a banking relationship with," he says.
One solution: delayed password disclosure. It not only uses a password, but also pictures. Jakobsson says, "For every character you enter, you get a new image on the screen. If there's even one image that you don't recognize, that means you're being attacked."
Each letter or number in your password would correspond to a picture. For example, if your password were dog, when you entered the "D," a picture of a house would appear. You would recognize correct pictures, but if the wrong image appears, you would stop entering your password.
Jakobsson says until our passwords change, you need to take steps to protect yourself whenever you go on line; any time you use your password. Jakobsson warns computer uses to, never give out any personal information on line, don't use your mother's maiden name for any reason, and remember, if it seems like you are being played -- you probably are.
BACKGROUND: Along with the rise of wireless networks is rising concern about securing networks against fraud and identity theft. Researchers at Indiana University have devised a new cryptographic security scheme to protect individual passwords from prying eyes.
WIRELESS IS VULNERABLE: The most common forms of wireless network hacking include methods for secretly intercepting passwords or other sensitive information by posing as a trusted network point. Such an attack is particularly effective against wireless networks that let users relay messages for one another. These so-called "ad-hoc" networks are useful in emergency situations, when the normal networks are overwhelmed or not working, but they are also more vulnerable to security breaches.
HOW IT WORKS: Delayed password disclosure works something like this. Let's say that you enter your password at an ATM to check your bank account information. If your password is "banana5," you would only need to type "b." The machine would then display a picture, which you have previously agreed goes with the "b." To verify, you move on to the next letter, "a," and the machine will display a second, agreed-upon picture to validate your password. There are an infinite number of picture possibilities for password verification.
BENEFITS: Existing security protocols concentrate on securing the link between two machines, but any hacker can use a computer as a fake access point, stealing information secretly. Delayed password disclosure counters this by allowing both parties to use a pre-arranged password or PIN for authentication that is not revealed during communications. Whenever a user initiates a wireless link, the agreed code is turned into a string of incoherent bits by a mathematical algorithm, while at the other end of the link, another algorithm is applied to the string and sent back to the user. In this way, the code can be checked mathematically to confirm that the person at the other end of the link shares the same secret password or PIN.