In the wake of successful attacks by the Syrian Electronic Army of high-profile media properties like the New York Times, NPR and the Guardian, researchers at the Information Security Group at Royal Holloway, University of London have created a prototype software architecture designed to take the human element out of phishing attacks.
IDSpace is a browser extension that provides “a single user interface and user experience for user authentication, whilst supporting a range of existing identity management technologies.”
IDSpace acts as a sort of password manager, but it pops up to ask if you’d like it to fill in login/password details from its system only if the site you navigate to is legit.
That would have come in handy for the news organizations the SEA has hacked, all of which fell victim to clicking on emailed links and entering passwords on a fake Google login screen.
As Quartz’s Leo Mirani noted, Microsoft introduced a similar tool in 2006, which it discontinued in 2011. So why reintroduce a similar concept? According to codeveloper Chris Mitchell, phishing has become almost epidemic, the number of websites demanding registration has grown, and registering using another site’s login, like Facebook or Twitter, is common.
Mitchell and codeveloper Haitham Al Sinani are currently building the prototype from the architecture they outlined in their paper, “which (they) plan to make available for public scrutiny and testing.”
But online security requires one fundamental discipline, which cannot be automated: Discipline. If you use a tool like IDSpace and maintain the rigor of basing login-sharing on its counsel, fine and well. But if that one phishing email comes in that seems just convincing enough and you fall for it, you might as well never have downloaded the password manager at all.
Mitchell and Al Sinani have created their extension with a focus on retaining the habits of existing online behavior, instead of demanding that users learn new behaviors, which could risk mistakes.
IDSpace can, and probably will, help. But without that discipline, it might as well be a GIF.