Barriers erected to protect against password-theft scams*
by Carrie Kirby

Alarmed by the growth of password-stealing scams on the Internet, two Stanford professors are working on tools to protect users from digital shakedowns.

The problem is known as phishing.  Crooks send out e-mails posing as banks or e-commerce companies, directing the recipient to a fake version of the company's Web site.  When the victim types in his user name and password at the fake site, the phishers capture the information and use it to clean out the victim's bank account or commit other fraud.

Professor John Mitchell and Associate Professor Dan Boneh have attacked the phishing problem from two angles: helping e-mail users avoid fake sites and preventing thieves from getting other peoples' passwords in their digital clutches.  Now they're working on stopping Trojan horse software, spread through viruses, that can steal passwords right off a computer as they are typed.

The computer science and electrical engineering professors, along with students including Collin Jackson, got interested in the problem after they were approached by the San Francisco Electronic Crimes Task Force, a Secret Service outpost dedicated to nailing online crooks.

"We really got hooked into this," Boneh said. "We didn't know it was such a massive problem. And it's grown tremendously since then."

The team created two software plug-ins that work with the user's Web browser.  Last year, they created SpoofGuard, which scrutinizes each site the user visits for clues that it might be a fake. It studies the URL, the graphics and the links on the site.  If something looks phishy, SpoofGuard warns the user.

The other, called PwdHash, short for password hash, will be introduced at a security conference in Baltimore next week. PwdHash takes the password typed into a Web site, scrambles it and creates a unique sign-on for each site visited.  This means that if a user signs on to a fake, or spoofed, version of eBay and is tricked into typing in his password, the criminals won't get the same password that the real eBay got.  So they won't be able to log on to the real eBay as the user and set up fraudulent auctions in his name.

PwdHash also attacks a little-known problem the researchers learned about from their law enforcement contacts: Because people often use the same password at many different Web sites, online thieves will take a stolen eBay password and try it at Bank of America, Wells Fargo and anywhere else they can think of.  That doesn't work if the victim is using PwdHash.

Another tool, to be called SpyBlock, is aimed at a threat PwdHash doesn't protect against: the Trojan horse key-logging programs a lot of phishers are using to steal passwords.  Boneh expects to make that one available in six months.

The tools are available for free as browser plug-ins on Stanford's Web site.  But, Boneh said, the goal is not for millions of people to download them.  In fact, too many users would quickly overwhelm the team's capacity for tech support.  Ultimately, the team would like to see its work incorporated into the major browsers so that everyone can benefit from the tools without having to install them separately.

To that end, the researchers said, they have met with Microsoft's Internet Explorer team and have worked on getting their software included in the open source Firefox browser.  PwdHash is part of the public domain, meaning that software creators are free to incorporate it into their work.

Microsoft declined to comment for this story.

Dan Hubbard, a committee member at the tech industry's Anti-Phishing Working Group, wasn't familiar with the Stanford project, but said the organization "welcomes efforts to defuse the current rise in identity theft through phishing."  Hubbard is also a senior director at e-mail filtering firm Websense.

There are already plenty of tools available to help people avoid falling into phishers' nets.  For example, San Francisco anti-spam firm CloudMark offers a toolbar that alerts users when they arrive at a fake site.  Bank of America recently announced it would be offering customers protection against having their accounts phished.

Boneh said he's not claiming his group's solution is any better than products already out there.

"There's no one single solution that's going to solve the phishing problem," he said.  "The thing that's going to defend against phishing is defense in depth. You layer a lot of solutions."