1. Field of the Invention
The present invention generally relates to on-line security and more particularly to indicating to a user that an application is secure.
2. Related Art
An important aspect of any open model such as the Internet is, by definition, that applications can be written by anybody and not just the original source. The mere fact that a viable business (e.g., PayPal, eBay, etc.) has legitimate services to offer on its website does not stop malicious entities from posing as the genuine website and harvest users' credentials. This artifact of an open model poses an important security challenge of how to identify and stop a rogue application. An important class of rogue software is phishing applications. Phishing may be defined as the process of attempting to acquire sensitive information such as user credentials (i.e. username, password, credit card details, etc.) by masquerading as a trustworthy entity. Phishing is a nontrivial problem, solutions to which would require multiple entities in various layers of the ecosystem to cooperate and participate. The phishing problem is also prevalent in applications present on devices such as mobile phones and PCs.
With this ever-growing problem, a user or consumer may be wary of entering sensitive information, such as the person's social security number, password, credit card number, etc., without some assurance that the site or application requesting the information is secure. One current method is SiteKey, a web-based security system that provides one type of mutual authentication between end users and websites. With SiteKey, the user is identified to the site by entering a username. If the username is a valid one, the site proceeds with authenticating the site to the user by displaying an image and accompanying phrase that was earlier chosen by the user. If the user does not recognize the image and/or phrase, the user can assume the site is a phishing site. However, if the image and phrase are what the user expects, the user may consider the site authentic and proceed. The user is then authenticates to the site by entering a password. If the password is valid, the user is considered authenticated and is logged in by the site.
However, there are weaknesses with SiteKey. One such weakness is that after identification and authentication, the image and phrase are no longer visible during the session with the site. In other words, there is only a static image at one point in the process (e.g., during initial authentication). Thus, the user may not be aware or feel confident that the site is still secure, such as if an attack occurs during the session.
Therefore, a need exists to indicate to the user that an application or site is secure during any portion of a communication with a site in which sensitive or confidential information is being entered by the user.