|GREEN ARMOR SOLUTIONS||
Ovum Report on Green Armor
Identity Cues - the New Weapon Against Phishing
By Graham Titterington, Principal Analyst, Ovum
Green Armor is a new company that has been formed to promote a new approach to countering phishing. Its approach is beautiful for its simplicity, and is based on human psychology. Graham Titterington expects it to become a common feature of secure websites, almost as common as, and much more prominent than, the SSL padlock symbol.
The Psychological Defence Against Phishing
Green Armor started from the premise that there was a need to simplify the user experience. Its approach requires no conscious effort on the part of the user, not does it place any extra requirements on the client PC or its configuration. Today people are trying to counter phishing by after-the-event anti-fraud analysis, or by strengthening user authentication. The former doesn't prevent the crime, although it may help to catch the perpetrator. The latter places a heavy burden on the end user who in many cases is already suffering from a loss of confidence in the Internet service. Experience shows that it is hard to change the behaviour of website users, and particularly of customers.
The Need for Anti-Phishing Technology
The need for anti-phishing technology has increased significantly in the last few months. In addition to phishing for personal identity information and pharming from identity stores of service providers, we are now seeing 'corporate phishing'. In these attacks the hackers send e-mails to employees of a corporation (guessing e-mail addresses if they don't know the real ones), requesting them to confirm their password at the attached URL. The hacker then gains access to the corporate IT system and steals some information that can be used to blackmail the corporation.
Green Armor sells a software product that will be bought by enterprises that want to protect their website from being abused by phishers, such as banks or large corporations. Green Armor provides a simple visual cue on the web log-in page that is unique to each user of the site. This is located close to the user id and password fields. The cue is generated using a mathematical formula based on the user id. It comprises a coloured rectangular box and a short word within it in coloured letters. This simple form of icon has been chosen after psychological experiments in US universities; the experiments showed that users can memorise it without any conscious effort, at least in a passive sense so that they will notice that something is wrong if it is different or missing.
There are some configurable parameters. The box can be set to appear at any stage in the course of typing in the user ID and password, as can the word within it. This timing can be selected to minimise the risk of the user giving away information if they are connected to a phishing site. Another variation of the product adds a third, preliminary, field to the log-in form called an "Armor code". However this is tantamount to adding a second password and so is unlikely to be widely adopted.
This product will not protect a user who has a keystroke logger Trojan on their machine - but if the hacker has implanted a keystroke logger they don't need to go to the trouble of setting up a phishing website.
Green Armor was founded in April 2004 and launched its first product in June 2005. It spent the first year in establishing its patent and testing the concept. It has a patent for the principle of mathematically generating unique visual cues which is broader than the current product. It is based in New Jersey. It has five staff and is in the process of raising funding for establishing commercial operation. It plans to sell directly to enterprises (such as Internet banks and large corporations) and to ISVs of products that would benefit from incorporating this technology into their log-in screens.
Graham Titterington is a Principal Analyst at Ovum, specialising in business continuity, IT security, and information storage. He can be contacted directly at gct at ovum / com.
This story originally appeared online at: