How Infocard prevents phishing, in practice

  • Article

I recently had a hot debate about how Infocard prevents phising; now everytime I see the "What's in your wallet?" commercial the arguments come back in mind, so I guess the only way to break free from them is going again through it. So here it's how it goes [:)]

Disclaimer: for extensive coverage of Infocard and the Identity Metasystem, check out Kim and Andy's blogs: this post is just a very down to Earth, oversimplified view of the thing which proved effective in a conversation. It's nothing new, it has been already said in finer terms. I won't go into details: in fact, I won't even say what a card is! For an excellent introduction, see John's PDC presentation.

The Point

Imagine going to your local grocery store: after having bought your regular stuff you head for the cashier, and while she adds items to the bill you reach for the wallet in your pocket, but... something is wrong! The wallet itself is definitely the model you use, color/brand/pocket number & disposition correspond, but the content is nowhere near to the familiar sight you would expect. Let's say you normally keep the American Express, the driving license and the X debt card on the right, while on the left you have the Visa, the Y grocery fidelity card and the gym keycard: what would be your reaction if you'd find on the left two Visas, with your name on it but from banks you don't have an account with; a library card; a driving license from a different State, with a different picture & wrong dates, and nothing else! I guess MOST of the people wouln't happily pull out one of the weird Visa to pay, I'd rather expect blocking everything until I understand what is going on... well, keep this feeling handy because in few lines we'll have to conjure it back.

Let's agree on what the term "phishing" means

While phishing became a very common word, it's still a good idea to spend few lines for agreeing on what we mean exactly. Wikipedia seems to have a good definition:

In computing , phishing is a form of social engineering , characterised by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message . The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.

The most common technique: the mail message lures the user on an artfully crafted web page, which reproduces (with different levels of accuracy) some official web site which would normally (and legitimately) gather credentials from the user. Needless to say, entering credentials on the fake page means serving them on a silver plate to the phisher.
One of the key factor of the success of phishing schemes is the wide variety of the different experiences through which users have to go when using internet for "serious" purposes. Bank X may ask for contract number and a password, while bank Y may ask for the account number, social security number, a numeric pin and a password; the postal website may ask for an email address and a password, while the auction site may ask for a username and a password; of course all of the above will have different layouts, different dispositions, different loading behaviors, and the very same web site will undergo from time to time trough dramatic restyling. No wonder that many users don't get suspicious in front of a rough copy of their home banking service, and they enter their precious credentials.

Infocard counter-scheme

Very briefly: Infocard provides a consistent experience for all authentication moments. Everytime you access a (Infocard-ready) website and some level of authentication is required, the system is going to ask you to pick a card among the ones you own: and you'll be prompted always by the same UI (apart from few minor facilitators), regardless of the website you are contacting. That UI, which BTW is called the Identity Selector (IS), lives on a different desktop than the one used by the user's interactive session: this mean that processes from the user session can't attach to the IS and steal information. Furthermore, all data which leave the user machine are secured via WS-*: so everything should be rock solid. Everything is cryptographically sound, and the user gets acquainted to a consistent experience.

Now, what are the options for the phisher? Traditional luring the user to a cloned site, in the hope it will seems like a routine visit, wouldn't work: the IS would warn that it's a first time visit, furthermore the bait page would have to own a certificate with logo which would make clear that it's not affiliated with the site targeted by the scheme. So, stealing credentials with a server side trick becomes impractical.

What's left? One could envision a client side version of phishing: somebody could take control of the client machine, and show a UI very similar to IS for trying to induce the user to give credentials. Apart from the fact that with Infocard you don't often input remote credentials directly (typical usage is a PIN for unlocking a local card), here is the moment to remember the wallet example: the fake UI can be a perfect reproduction of IS, but it won't show MY cards! The data about each cards live in a secure store, which can;t be accessed by processes from a desktop other than the one created by IS: so the phisher would have to guess the number, type and content of my cards, with chances of suceeding very, very faint to be conservative. Everybody would realize immediatly that there is something wrong.

So much for taking advantage of the lack of an internet identity layer [:)]