It is known for a user to log into accounts on networks, Internet sites, software and web applications, cellular phones and the like by inputting identification details through a keypad or keyboard. For example, financial institutions provide Internet banking services where users are required to enter a username and password via a keyboard to access their account information, transfer funds, pay bills, and the like. Even automated teller machines (ATMs) require user identification and a password in the form of a PIN.
Entering usernames and passwords using a keyboard over networks, and particularly public networks such as the Internet, involves some risk to users. Third parties have invented various schemes to gain unauthorised access to usernames and passwords, for example through keyboard logging, skimming devices, password guessers and phishing.
Keyboard logging is the practice of noting the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. This is typically performed through installing software programs on a user's computer, unbeknown to the user.
Skimming devices are connected to computer hardware, for example an automated teller machine, and collect information from a user as it is inputted into the keypad. For example, a skimming device connected to an automated teller machine may collect account details, usernames, passwords and PINs of an institution's customers, again unbeknown to the customer.
Password guessing programs enable automated attempts at guessing a user's password, for example by running through the entirety of words in a dictionary at a very rapid speed.
Phishing is the process of attempting to acquire sensitive information, such as usernames, passwords and credit card details for example, by masquerading as a trustworthy entity in an electronic communication. Typically users are sent an email which appears to the user to be a legitimate email from a trusted institution which asks the user to click through a link and enter in their username and password. The link does not however take the user to the legitimate institution website but rather to a false website operated by a third party, thereby allowing the third party to obtain the username and password of the user.
Due to the inherent security risks, many customers refuse to engage in Internet or phone based transactions. This is not only an inconvenience to the customer but also to the institution who cannot implement their entire business solely online if desired.
Existing attempts to solve the above security problems focus on preventing installation of such devices and software, however they do not assist when such devices and software are successfully installed. Nor do they assist in preventing all of the above security threats.
Password guessing programs can be defeated by account lock out mechanisms, but these are often not used on networks because of capacity and user database management constraints. Where they are used, they are typically set to low tolerances to avoid the customer being inadvertently inconvenienced.
Digital certificates are used to prevent unauthorised use of user names and passwords, but in high end applications this does not prevent access if the device security is breached or the digital certificate is stolen. Digital certificates also require a significant degree of skill by the end user to implement, often to such an extent that assistance of a technician for most users is required. This renders the use of digital certificates for Internet and WAN based applications cost prohibitive, as significant help desk resources are required by the institution, as well as higher costs for the end user in obtaining onsite technical assistance. Digital certificate management is being further complicated by the evolving numbers of operating systems that must be tailored to work with the digital certificate. This will become even more apparent with the wider use of cellular network enabled devices to access the Internet each with their own proprietary operating systems.
One currently available system which was designed to prevent phishing attacks is known as “SiteKey”. SiteKey is a web-based security authentication system which ask a series of identity questions to increase security. A user identifies him/herself to a website by entering his/her username (but not password). If the username is valid, an image and accompanying phrase is displayed which has been previously configured to the user. If the user does not recognise the image and phrase as his/her own, the user assumes the site is a phishing site and abandons the login. If the user does recognise the image and phrase, the user may consider the site authentic and proceed with the login process.
However weaknesses have been found in the SiteKey system. Most importantly, it offers no immunity against some of the most common phishing scenarios, as it compromises user privacy by requiring users to disclose personal information in response to the questions, it is susceptible to man-in-the-middle attack, and it allows bulk harvesting of usernames. It has also been found that users are prone to provide their login credentials even in the absence of the SiteKey image and phrase appearing. Accordingly, it has not been entirely successful and has in some cases lead to increased incidents of identity theft because personal information is exposed and the phisher can still illicit information from targets relatively easily.
There is accordingly a need for improving the security to a user when entering login credentials to access a user account, to inhibit at least some of the above described security threats.