You’re at home doing your online banking— shoes kicked off, glass of chardonnay beading at your elbow—when you come across a Bank of the West webpage with the URL www.bankofthevvest.com. You are asked to provide your Social Security number and happily comply— after all, you’ve been banking with these guys for years and you know it’s a secure site. Right? Take another look at the “w” in “west.” Computer science professor Doug Tygar and then-graduate student Rachna Dhamija tested the phony Bank of the West page and found that 91 percent of users were duped into thinking it was a secure place to input their financial information. It’s that level of confusion, and the cheek of Internet fraudsters, that motivates the researchers.
The practice of making a fake Web page look like a real one— the point being to fool computer users into giving up personal information— is called “phishing,” and it’s a major problem in the world of Internet commerce, costing more than $2.8 billion in 2006. Tygar, a Web security expert, is locked in what he calls “competitive war” with phishers, who are constantly testing new ways to make fakes look trustworthy. They experiment with phony toolbars, scrollbars, and, deviously, images of authentic URLs. As soon as a scam is discovered and publicized, dozens of new ones spring up to take its place. “It’s almost like an arms race,” Tygar says. “Many people would like to say, ‘When can we have a system that’s going to be completely secure?’ The answer is that it’s probably impossible.”
But Tygar and Dhamija propose innovative security measures that at least make it more difficult to fool computer users. One is “dynamic security skins,” which would create a password window on your desktop that you’d customize with a photo. The browser would use your personal image as a border for a web page it knew to be secure (clever things, those browsers). All you’d have to do to ensure security would be to match the pictures. “The problem right now is the rules are very complicated,” says Dhamija, now a postdoc at Harvard and in the early stages of forming a company to make security skins commercial. “It would be nice to have some clear, simple rules saying that if this doesn’t match, don’t proceed, don’t log in.”
Tygar’s also working on a new way of using “cookies”—the little bits of information a computer stores while you browse the Web—and investigating keyboard security. The work never lets up. Many phishers have become so sophisticated that they “user test” their scams, employing the same research methods as security experts, notes Tygar.
Seems cyberspace is the new wild vvest.