Deterrence to Hard-to-Defend Phishing Attacks
It is known that targeted/spear phishing attacks often bring grave damages as the consequences. Implementation of Expanded Password System is expected to deter the indiscriminate mass phishing attacks to a large extent.
However, all the passwords, whether texts, patterns or images, are vulnerable to Spear/Targeted Phishing, whatever tricks we may incorporate into them and that effective deterrence could be expected only when we involve 2-channels or 2-steps or both.
Incidentally, that the password is vulnerable to spear/targeted phishing does not mean that removing the password makes a solution. It is the same as removing a lock/key and enhancing the door panel does not make a solution to the vulnerability of the lock/key.
A. Against Indiscriminate Mass Phishing
Where the users are encouraged to create their own unique image matrices with Expanded Password System (*1) is deployed, we could assume that criminals feel discouraged about the indiscriminate mass phishing.
It would be a costly job, if technically possible, to capture thousands, millions or billions of image matrices unique to all the different userIDs from the genuine authentication servers, copy them on the criminals' fake servers, get them activated for detecting tapping and clicking on the screen and then try to lure the target people into disclosing their credential (the registered images) on the criminals' fake servers by sending phishing mails, etc.
Effective against indiscriminate mass phishing, though not effective against the spear/targeted phishing.
B. Against Spear/Targeted Phishing
2-Channel Expanded Password System (implemented as Onetime MnemonicGuard *2) could discourage criminals because the criminals would need to place both of the two channels under their control simultaneously before starting the phishing trial.
Alternatively, where 2-factor/channel system is not implemented but Expanded Password System (EPS hereafter) is deployed, we could think of adding a second step of EPS making the system 'Selective 2-step EPS' for the users who opt for it.
With the 2-step EPS, the image matrix for the 2nd step is supposed to be shown to the user/criminal only when the user/criminal has gone through the 1st step EPS.
The optional 2-step EPS could discourage criminals by way of making it hard for the criminals, who have somehow obtained the credentials (the registered images) of the target persons for the 1st step EPS, to prepare the image matrices of the 2nd step EPS on the criminals' fake servers quickly enough.
Specifically speaking, a criminal who knows the userID of the target person can capture the image matrix of the 1st step EPS from the genuine server without the target's knowledge, prepare the image matrix of the target and lure the target into disclosing the credential (the registered images).
However, the criminal would then have a huge difficulty in obtaining the credential (the registered images) for the 2nd step ESP unless the criminal has a magical power of completing the following process in a matter of seconds -
Having successfully stolen the credential for the 1st step,
1. access the target's account with the target's UserID and get the target's image matrix shown,
2. visually locate and manually tap/click the images of the target's selection on the screen of the genuine server,
3. successfully going through it, capture the target's image matrix for the 2nd step EPS,
4. activate the image matrix on the criminal's fake server so that it can detect tapping/clicking by the target,
5. show the image matrix and urge the target to select the credential (the registered images) forthe 2nd step EPS.
Users, who had been informed that they should suspect the act of phishing if they are kept waiting for more than a few seconds after the clearance of the 1st step, would be advised to cut off the connection without moving to the 2nd step and re-create the different image matrix for the 2nd step EPS.
As such, the burden forced upon criminals is very heavy, whereas the burdens on the authentication server and the users are relatively lighter.
The authentication server is required to add another step of EPS to the default EPS for the users who opt for an additional protection against spear/targeted phishing.
The users who opt for the 2-step EPS are required to create two sets of image matrices and remember the advice that they should cut off the connection without moving to the 2nd step when they are kept waiting for more than a few seconds after clearing the 1st step and re-create a new image matrix for the 2nd step, desirably the one for the 1st step as well.
Whether or not this is too heavy a burden for the users may well be dependent on the value of the information asset that they have access to. Managers of classified and highly sensitive information in large volume probably do not view it as too much a burden in view of the grave damages as the consequences of spear/targeted phishing attacks.
C. Against Persistent Spear/Targeted Phishing
Criminals who persistently chase really valuable information assets could be discouraged if we deploy the 2-step EPS coupled with the 2-Channel method.
Remark: The core concept of the above proposition was first announced 12 years ago when I was a member of Japan’s Anti-Phishing Task Force organized by the government.
The anti-phishing task force, which was dominated by vendors of biometrics, PKI and anti-virus software, did not show any interest in this proposition. Dissatisfied, I quit it and have since forgotten about it.
I was reminded of this long-forgotten proposition by a brief reference to ‘Phishing’ in a comment from gentleman with respect to my latest article