Security experts unveil defense against phishing

Steve Castillo Phish

Computer science faculty members John Mitchell, left, and Dan Boneh have developed web browser plug-ins to protect computer users from “phishing” attacks.

It's an online con that is growing fast and stealing tens of millions of dollars. An e-mail seemingly from a financial institution instructs you to log on to a legitimate-looking website. Such "phishing" attacks exploit a universal weakness in online security: passwords.

"Phishing attacks fool users into sending their passwords, in the clear, to an unintended website," says Dan Boneh, an associate professor of computer science and electrical engineering. "Since Internet users often use the same password at many websites, a phishing attack on one site will expose their passwords at many other sites."

Boneh and computer science Professor John Mitchell say they can change all that. Their research group has developed an extension to popular web browsers that completely overhauls the security of passwords with only the slightest change in the daily web-surfing experience?one or two keystrokes before entering a password activates their software. Mitchell, Boneh and their students will debut the extension, named PwdHash (short for "Password Hash"), at the 14th Annual Usenix Security Symposium in Baltimore at the end of July. It is one of three tools the pair has devised to combat phishing.

The need for tools to defend against phishing is urgent because this con is growing fast. Between July 2004 and April 2005, the number of phishing sites grew at an average rate of 15 percent a month, according to the Anti-Phishing Working Group, an industry consortium.

Hashing out securityPwdHash works behind the scenes to irreversibly encrypt a user's password in a way that is unique for every website. "Hashing" a password means combining the typed password and the site's domain name in an algorithm that outputs a unique password that bears no traceable resemblance to the typed one. The hashed version produced by PwdHash for a phishing site therefore bears no resemblance or clues to the hashed version that is valid at the legitimate site. Meanwhile, the user simply has to remember the familiar typed password. When a potential phishing victim unwittingly enters his eBay password at a phony site posing as eBay, PwdHash generates a new password for the phisher's site, so the phisher ends up gathering something totally different than what is actually needed to log in at eBay.

To tell PwdHash to do the hashing, the user only has to type "@@" or the F2 key before typing the password. In five professionally conducted user tests, people had no problem remembering to enter @@, Mitchell says.

To get the benefit of PwdHash's protection, users will have to change their passwords using PwdHash at sites where they have accounts. But users can do this at their own pace, Mitchell says. Besides, changing passwords is something people should do anyway, say the computer scientists. "It's a good idea to change your password in case somebody discovers it," Mitchell says. "It is also part of making sure that you are using different passwords at different sites."

Boneh hopes that major technology companies?and the Stanford researchers have met with several?will adopt PwdHash and help distribute it broadly.

Of course, like all security software, PwdHash is not perfect. For example, it does not work for the AOL browser and cannot protect users who have unwittingly downloaded software that can read their keystrokes as soon as they type them. Some phishing sites trick users into downloading such software.

SpoofGuard and SpyBlockBut that's where other tools from Boneh and Mitchell can help. SpoofGuard, another browser extension, can recognize illegitimate pages and warn users when they visit them. After installing SpoofGuard, a user would only have to watch his or her screen to avoid many phishing sites. PwdHash would then be the second line of defense.

SpoofGuard uses several cues to determine whether a site is questionable. It will suspect pages with names similar but not identical to major ones (e.g., or, pages with numerical rather than text addresses, pages with images that are known in a database to be associated with other addresses (such as corporate logos) and pages that are not already in the user's history list. SpoofGuard will even warn users who are visiting pages already known to the anti-phishing community. Finally, it will "watch" as users type in passwords. If the password is being entered at a site different than the one it associates that password with, SpoofGuard will warn the user.

Another tool Boneh and Mitchell are currently developing, called SpyBlock, is meant to directly combat the keystroke reading software that phishers try to distribute.

Unfortunately, users always will have to be vigilant about Internet scams and how to protect themselves, Boneh says. "There is not going to be a silver bullet against phishing," he says. "It's going to be a collection of defense mechanisms that hopefully can work together to prevent the problem."

Further information and free, prototype versions of both PwdHash and SpoofGuard are online at and

David Orenstein is the communications and public relations manager at the Stanford School of Engineering.