British IT researchers have released the outline for an application designed to thwart phishing attempts by using the reverse of concepts similar to Microsoft’s defunct CardDspace user-identification app.
CardSpace was designed as an identity metasystem: a client-based application that could work with a range of security and authentication applications from other vendors by allowing users to create simple identification cards that could be used to verify their identities every time they logged into a network system or Website.
Rather than using identity cards to help users authenticate to a Website, however, the Uni-IDM system is designed to prevent password theft and phishing attempts by letting users create a card verifying the identity of a Website they use and issuing an alert if they try to log into a malware site posing as the real thing.
The identity cards send information only to the original site, and are able to log users in without having to type in a password that could be keylogged or sniffed by malicious systems.
The application is able to support or integrate with other security systems by recognizing the security on a specific web page and pulling up a list of options users can choose for authentication.
Phishing and more individually targeted spear-phishing techniques have become among the most frequent and effective means of attack against both individuals and large organizations. More than 37 million users were affected last year by phishing messages directing them to fake Websites posing as banks, credit and financial institutions or other trusted sources, according to a June report from security firm Kaspersky Systems.
Despite data breaches at LinkedIn, Facebook and a host of other companies that allow millions of username/password combinations to be stolen each year, passwords are still the dominant form of user authentication even at many financial institutions, according to Chris Mitchell, lead researcher on the project and a professor at Royal Holloway’s Information Security Group.
The idea behind Uni-IDM is to create an open-source, highly interoperable system that uses data stored in a highly standardized format on a client machine and can be read by and incorporated into almost any other security system, Mitchell wrote. Microsoft’s CardSpace failed, in part, because there was no established identity-confirming infrastructure that could use its information, and thus there were few users demanding the capability or vendors investing to build one.
By contrast, Uni-IDM is designed to be used with any security system without forcing the latter to change, making it simpler to deploy more sophisticated, server-based systems that require some authentication from the client machine.
The architecture of Uni-IDM is laid out in a paper posted on Mitchell’s own Website.
The written outline is the only portion of the application available so far. Mitchell said his next goal is to deliver a working prototype to be released for testing, comment and contribution from the public; though he offered no schedule for when that might happen.