Hackers will often get your password, and a lot of other information, by spoofing a website you often visit or sending a link in an email. It’s called phishing, and it works because it’s not always easy to tell the real from the fake on the Internet.
To stop this tactic — or at least, make it harder to do – a computer science professor at University College London wrote up a web browser plug-in that manages the process of identifying the web site, so the user doesn’t have to.
The plug-in, called Uni-IDM, is the work of computer science professor Chris Mitchell and postgraduate researcher Haitham Al-Sinani. It lets users create a kind of electronic “ID card” for the websites they visit. If the site is a fake, the username and password prompt won’t appear — a clear warning. To check the authenticity of the site the plugin compares what it sees with what’s on your computer’s history. That is, if it sees the Amazon.com Web page but certain details look different from what your computer recorded before, it won’t log you in.
This kind of security is also a good fit for the multiple ID services people log onto sites with. For example, many use OpenID, a Facebook login, Disqus or a Google ID. In that case when you log on to a site that uses one these for access, the information is actually going to one of those service providers. Uni-IDM will check to see if that really is the OpenID site or Google you’re about to give your password to. If it isn’t, then the plug-in will redirect you to the actual OpenID site, instead of the fake .
It’s not a perfect solution, because the plug-in has to “learn” which sites are real — that is, if the first time a user visits Amazon.com they visit a fake site, then it won’t know the difference. But it is, Mitchell says, at least can cut down the effectiveness of phishing attacks.
Credit: Wikimedia Commons / Stormchak