Wednesday 18 February 2004

How our User Interface could aid Visual Spoofing

Don Park demonstrates Visual Spoofing which is potentially another avenue for Internet phishing scams except that this one relies on the familiarity of our own user interface to trick us into giving away private information.

I will let Don explain this:

You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels. There are no such thing as windows or buttons. Instead, there are pixel patterns we call windows or buttons. It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.

From this perspective, a browser window is a rectangular array of pixels under full control of someone else, full control meaning any pattern of pixels can be displayed including those 'sacred' patterns we sees as 'windows' or 'buttons'. The illusion of depth, used commonly to enforce the concept of overlapping windows, can also be duplicated.

Basically, a hacker could create a fake User Interface using DHTML and the user may be none the wiser especially if the user is deluged with pop ups or is accustomed to having so many open browser windows.

Diego Doval uses the analogy of a Key and Lock to explain how Visual Spoofing could succeed:

We tend to guard (and trust, or distrust), the key, while we implicitly trust the lock. Why? The lock is "solid, real". It's "unmovable": built into the door, or ever present in your computer screen. The key can be duplicated without you knowing. The lock cannot.

Except that the locks we've got on computer screens are themselves open to duplication. Seamless. What Don is talking about is applied to browsers.

Don also offers a possible solution which he calls phishmarking