Thwarting Phishing scenarios

This page demonstrates how the Saphe solution protects the user's information from all the known Phishing attack methods.

Passive Phishing includes:

  • Passive impersonation of the real server

Active Phishing includes:

Imagine the following scenario: an unsuspecting user received an e-mail from his bank, claiming that there is some kind of problem in his account, and that he can easily fix it online. A link is supplied for his convenience.

At first glance the e-mail seems OK - The language is very formal and phrased just as the user would expect from a real bank message. The sender's address seems right, and the supplied link also seems to match (more or less) the URL of the bank (as far as the user can tell). This must be a legitimate message from his bank - how else would they know what his e-mail address was? The message mentioned some problem in his account, and nobody wants problems in their account. But it seems that it can be easily solved without even getting up from his chair. "The Internet made everything so easy", he thinks to himself and follows the link.

The obedient browser opens the link, and the user looks for the small lock icon at the bottom, just as he was taught - this means that the connection is secure! The web page, which looks exactly like the real bank's login page prompts the user for his user-name and password. The user types them in without thinking twice, and solves his little 'problem'. Now the Phisher is in possession of his user-name and password.

The Saphe solution makes sure that this scenario won't happen. Since the impersonating server does not know the user's password, it would not be able to produce the Saphe data required to authenticate itself to the Saphe plugin, and the user's password will never be sent. The random client-challenge sent by the plugin makes sure that no replay attack is possible. The only thing the user needs to pay attention to is the (very visible) Saphe dialog box (or the lack of it), which presumably cannot be mimicked by web-code (HTML, JavaScript, etc). Any login attempt which does not involve this window should be considered as a Phishing attempt.

The Phisher is therefore faced with two options: give up, or use Active Phishing methods (which the Saphe solution also protect against).

Note that some of the current anti-Phishing methods also protect from passive Phishing attacks. However, using idiosyncratic characteristics to prove that the server on the other end of the line is indeed the real server does not protect against Active Phishing, as any active Phisher will be able to mediate between the user and the real server, which will allow him to obtain the password.

Back to the Saphe solution page

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License