views:

645

answers:

6

What is your suggested solution for the threat of website UI spoofing?

A: 

One solution is to customize the web site per user. Spoofing only works when users have basically the same view of the website (one spoof - many victims). So if, for example, eBay would let you configure a custom background color, you should be able to notice that the page you're viewing is some spoof (that won't know your choice of color). A real solution is a bit more complex (like maybe a secret keyword configured in the browser that only the browser can render within password controls or into the url bar, etc.), but the idea is the same.

Customize the UI per user so spoofing (which relies on most users expecting to see basically the same UI) stops working. It can be a browser based solution, or something web sites offer to their users (some already do).

Assaf Lavie
personal customisation is no good - a real site doesn't know who you are until you're logged in, so a phisher pretending to be them would already have your credentials.
Alnitak
A: 

I've seen some sites that let you select a "personal" icon. Whenever you log in, that icon is displayed as proof that you are on their site.

AaronS
and if you're not, it's too late...
Alnitak
The spoof site could easily take your login details and collect the *correct* personal icon from the real site and display it to you
Gareth
A: 
  • You can ask a question when the user login (a question that the user has written with the answer).

  • You can display a picture after the loggin that the user have uploaded, if the user doesn't see his picture (private that only him could see) than it's not the real website.

Daok
These solutions still rely on you entering your credentials before you get confirmation that you're on the right site.
Gareth
ok where it's written in the question that is required to be before?
Daok
@Daok: The `phishing` part of the title (subtle, isn't it?) - the whole point of phishing is to collect credentials by pretending to be a legit site, right?
Ken Gentle
well if you have this mechanism that I describe you know if you got phished or not and do some action to stop it. Right?
Daok
But it'll be too late. By then the botnetwork owned by the phishers might already have changed passwords, wired funds, etc.
Jilles
+4  A: 

By definition any solution that relies on the site showing you personalised information once you've logged in is ineffective against phishers. If you've attempted to login, they've already succeeded!

FWIW, I don't yet know the real answer, maybe this question will throw up some good ideas. I am however professionally involved in research into phishing, bad domain registrations, etc.

I don't believe there's any significant technical solution that web site developers can implement. Again, by definition, if your users arrive at a phishing site you're no longer in control.

This is why all current anti-phishing technologies reside in the browser, and not in the phished site.

Alnitak
No, that just means it's indeed an effective measure against pishing for sites you already have an account with. That's a big part of the solution. The fact the it doesn't solve the pre-login phase doesn't say anything about it's effectiveness afterwards.
Assaf Lavie
+1  A: 

The key to this problem is identifying some difference between a request to the real site and a request to the spoof site.

The simplest difference is some cookie-based UI preference. A cookie set on your (real) site will only ever be returned to your site, and will never be sent to a spoof site.

Now there are plenty of reasons that the valid cookie might not be sent to your site, the user might be using a different computer or they might have expired/deleted cookies, but at least you can guarantee that it won't be sent to the spoof site.

Gareth
The problem with this is the so-called "downgrade attack". How can the user tell the difference between a phishing site, and a real site that for whatever reason is unable to send the required cookie.
Alnitak
The same way they would ever know - by looking at the URL. The point would be that without the customised UI they'd be wary of entering their credentials
Gareth
In any case -- as a website -- the only real information you can guarantee is only sent to your site is something cookie-based
Gareth
This is not a good answer.
Rook
Thanks, the rook. Let me (and other readers) know what you would improve about it :)
Gareth
+1  A: 

I think the only answer here is to program better people.

Doing things like customizing the appearance or uploading an image only work if the user in questions actually recognizes when these things are wrong. I think the majority of users would never recognize these things except for sites they visit a lot. Even if they did they may attribute it to a change in website design and not a phish.

Flory