The Secret Service agents who came to lunch on campus three years ago weren’t particularly intimidating. “Just five guys in suits with lapel pins,” computer science professor John Mitchell recalls.
The team was part of San Francisco’s Electronic Crimes Task Force, come to ask for help in solving problems of financial fraud on the Internet. “They brought us a lot of problems,” Mitchell says. In response, he told the agents, “We can dialogue from here to eternity, but we’re a technical people, so what can we do that’s technological to help you?”
The agents looked at one another and said, “web spoofing.” Also known as “phishing.”
“Phishers,” Mitchell says, use e-mail messages—from, say, a bank where a consumer may have an account—to trick unwary computer users into providing their usernames and passwords to bogus websites. For example, phishers might send a message regarding online banking with a legitimate-looking “Wells Fargo” logo. If the recipient clicked through to the website, he wouldn't necessarily notice that the URL contained “We11s” spelled with the numeral “1” instead of the letter “l.”
As Mitchell and Dan Boneh, an associate professor of computer science and electrical engineering and a specialist in cryptography, learned more about the growing sophistication and potential impact of phishing, they became convinced their students could design and build some solutions. The first product, launched last year, was SpoofGuard, a browser extension that identifies fake websites, warns users about them and halts the transmission of data.
“I thought, ‘This is really cool,’” says second-year doctoral student Collin Jackson, who came to Stanford after working for the Center for Democracy and Technology in Washington, D.C. For years, whenever he got an e-mail message from, say, eBay that wanted to interest him in an online business transaction, Jackson says he would call the company and try to explain his frustration. He told them that phishers could send a similar message, get his password, and use it to set up a phony auction and steal bidders’ money. “I’d say, ‘Look, this is a terrible idea. You need to educate consumers who have no way to tell if [they’re using] a fraudulent source.’ ”
Jackson became an eager worker bee on the next-generation solution: Web Password Hashing, or PwdHash. A piece of software that can be downloaded for free and runs on a user’s browser, PwdHash is designed to make it almost impossible for anyone to steal a password because it scrambles or encrypts a user’s password when she logs on to a website. It creates a unique password for every website the user visits. Like SpoofGuard, PwdHash is available at the researchers’ website. Since the Internet Explorer and Mozilla Firefox versions have been available, Jackson says more than 5,000 users have downloaded them. Next up is SpyBlock, which Boneh says will combat the keystroke-reading software many phishers use to try to steal passwords.
“We’d like to continue to provide security mechanisms that are useful to home users or small-business owners—secrecy for the normal person,” Mitchell adds. Time to have lunch with the Secret Service again.