spot the differences

As a child I liked to do puzzles. One of these was called “Spot the Differences.”

Get all 15 differences correct and you may win a prize. Get all 15 differences correct and you may win a prize.

There is an adult version of this game. It’s much more challenging:

  1. It is more difficult: Only one picture is shown at a time. Players
    have to rely on memory to recall the differences;

  2. It’s played by millions of people every day, yet many don’t know
    they are playing;

  3. The stakes are higher: If you fail to spot any differences
    you might lose all the money in your bank account.

This game is also known as Internet Banking.

The Toxic Combination

The problem is not restricted to banking. The general issue is twofold:

  1. People need to validate the authenticity of a site before typing in
    their password;

  2. The password gets transmitted to the other party.

Most people assume that if it looks like their bank and the
address bar is green then it should be safe. Regrettably, it’s
not. Criminals obtain valid certificates using stolen creditcards and
passports. The true method for authenticating a site requires
verification of server certificate fingerprints. And if you don’t know
what that means, you’re playing the game: you have to spot the
spelling errors, the differences in layout and other mistakes to
detect the scammers. Good luck!

The second part is just as problematic: The password must remain
secret, yet it must be transmitted to the other side to log in.

This is the Toxic Combination. One failure to detect a scammer’s site
and the password is compromised. The scammers can do everything that
you can do with the password.

A Way Forward

We present our protocol to eliminate this toxic combination.

We eliminate the need for people to validate a site, the protocol provides
sufficient data so that the browser can do the validation for the
user. We also eliminate the password and replace it with client
certificates. Again the browser will do the work for the user. Making security usable.

How it works is described in our paper: Usable-Security.pdf

Image Credits: Image by Muband from Wikipedia - Spot the Difference, Creative Commons Attribution-Share Alike 3.0 Unported.