Detection of Phishing by Episodic Image Memory

In February 2021 global media were in an uproar over this horrifying news — “Hacker tries to poison water supply of Florida city”

We know that many of the attackers get a back door opened to take over the systems. Probably around the top of the list of weapons for opening the backdoor is compromising the passwords of the staff of target organizations. ‘Phishing’ is known to be particularly effective in it.

The nasty threats of phishing attacks can be detected and thwarted by a simple tweak of the log-in process with a wise use of our episodic image memory; enable the user to register an image of their own (not shared on SNS) as a credential of the genuine log-in server

When the genuine service desk sends an email to a user, for instance, to ask them to feed their log-in password, the genuine log-in page should be able to show the user’s image — along with dozens of other images. If the user is shown a log-in page that does not show any image that the user can recognize right away, it would be suspected to be a fake log-in page — Beware!

The image to register as a credential of the genuine log-in page should desirably be of episodic memory. We announced this method 18 years ago.

Have you taken note that we wrote “show the user’s image ALONG WITH DOZENS OF OTHER IMAGES” in the above? This element plays a crucial role in our scheme.

A would-be phisher can easily copy the log-in screen and show it to a target user whose User ID is known. But the phisher does not know which image was registered by the user as the credential of the genuine log-in server as against the other images, whereas both the user and the genuine log-in server know which one was registered.

We ask the user to pick up the registered image and also several other meaningless images in a random sequence; The outcome will be that the genuine log-in server will know that the user has selected the registered image in the choice, while a fake log-in server will not know it,

If the user is given a password box when the choice does not include the registered image, the user would know right away that it is a fake and proper actions would be taken. The phishing process will have to stop there. Copying the genuine log-in page would thus take the phisher nowhere.

After this screening of fake log-in servers, the user will be asked to go through the authentication by a password, desirably by Expanded Password System (EPS) where it is available. EPS comes without the likes of a password box.

Key References

Digital Identity for Global Citizens

What We Know for Certain about Authentication Factors

Image-to-Code Conversion by Expanded Password System

Summary and Brief History — Expanded Password System

Proposition on How to Build Sustainable Digital Identity Platform

Additional References

Account Recovery with Expanded Password System

External Body Features Viewed as ‘What We Are’

History, Current Status and Future Scenarios of Expanded Password System

Negative Security Effect of Biometrics Deployed in Cyberspace

Removal of Passwords and Its Security Effect

Availability-First Approach

Update: Questions and Answers — Expanded Password System and Related Issues (30/June/2020)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hitoshi Kokumai

Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Inventor of Expanded Password System and Founder of Mnemonic Identity Solutions Limited in UK.