Detection of Phishing by Episodic Image Memory
In February 2021 global media were in an uproar over this horrifying news — “Hacker tries to poison water supply of Florida city” https://www.bbc.com/news/world-us-canada-55989843
We know that many of the attackers get a back door opened to take over the systems. Probably around the top of the list of weapons for opening the backdoor is compromising the passwords of the staff of target organizations. ‘Phishing’ is known to be particularly effective in it.
The nasty threats of phishing attacks can be detected and thwarted by a simple tweak of the log-in process with a wise use of our episodic image memory; enable the user to register an image of their own (not shared on SNS) as a credential of the genuine log-in server
When the genuine service desk sends an email to a user, for instance, to ask them to feed their log-in password, the genuine log-in page should be able to show the user’s image — along with dozens of other images. If the user is shown a log-in page that does not show any image that the user can recognize right away, it would be suspected to be a fake log-in page — Beware!
The image to register as a credential of the genuine log-in page should desirably be of episodic memory. We announced this method 18 years ago.
Have you taken note that we wrote “show the user’s image ALONG WITH DOZENS OF OTHER IMAGES” in the above? This element plays a crucial role in our scheme.
A would-be phisher can easily copy the log-in screen and show it to a target user whose User ID is known. But the phisher does not know which image was registered by the user as the credential of the genuine log-in server as against the other images, whereas both the user and the genuine log-in server know which one was registered.
We ask the user to pick up the registered image and also several other meaningless images in a random sequence; The outcome will be that the genuine log-in server will know that the user has selected the registered image in the choice, while a fake log-in server will not know it,
If the user is given a password box when the choice does not include the registered image, the user would know right away that it is a fake and proper actions would be taken. The phishing process will have to stop there. Copying the genuine log-in page would thus take the phisher nowhere.
After this screening of fake log-in servers, the user will be asked to go through the authentication by a password, desirably by Expanded Password System (EPS) where it is available. EPS comes without the likes of a password box.
Key References
Digital Identity for Global Citizens
What We Know for Certain about Authentication Factors
Image-to-Code Conversion by Expanded Password System
Summary and Brief History — Expanded Password System
Proposition on How to Build Sustainable Digital Identity Platform
Additional References
Account Recovery with Expanded Password System
External Body Features Viewed as ‘What We Are’
History, Current Status and Future Scenarios of Expanded Password System
Negative Security Effect of Biometrics Deployed in Cyberspace
Removal of Passwords and Its Security Effect
Update: Questions and Answers — Expanded Password System and Related Issues (30/June/2020)