1. Field of the Invention
The present invention relates to an apparatus for and a method of managing registered data depending on user IDs particular to respective users, and more particularly to an apparatus for and a method of managing data for preventing phishing.
2. Description of the Related Art
In recent years, plagiarizing authentication identifiers (IDs) and codes (passwords) by using deceptive Web sites has becomes prominent as criminal activity on the Internet. The fraudulent acquisition of IDs and passwords is equivalent to stealing a communication procedure, or stated otherwise is equivalent to stealing, a “key” for decrypting information that has been encrypted according to any of various processes and stored in a memory device. No matter how strong an encryption algorithm or a key may be, the protected information can easily be decoded the key is stolen.
According to all kinds of encryption processes that have already been invented at present, it is important to pay careful attention to the management and handling of the “key” as well as increasing their resistance to decoding attempts. Key exchange mechanisms that are incorporated in communication protocols are somewhat vulnerable to attacks at the stage of issuing a key or in the stage of an initial communication handshake.
Effective countermeasures against phishing attempts from fake websites have not yet been invented because phishing is a relatively new form of criminal activity and the Web system which is highly versatile and flexible cuts two ways. Techniques are available to copy image data and HTML data with ease and even to alter the address bar that is the only identification point for the user.
Irrespective of any complex security protection provided in websites managed by website administrators themselves and communication means on networks that are used, insofar as users are authenticated using IDs and passwords, it is impossible to prevent websites from being faked and personal information can easily be stolen through such deceptive websites.
Specifically, fake websites can be generated quite easily by fake website construction tools that are available in hacker networks. Phishing crimes are usually committed by using e-mails to lure users to deceptive websites. According to a typical phishing process, the phisher sends to a user an e-mail containing a message that is designed to trick the user into:
(1) updating user information by saying that the existing user information is going to be outdated; or
(2) visiting a deceptive website by pretending that there has been a business transaction involving the user, and attempts to steal the user's ID and password through the updated user information or the deceptive website.
A certificate to be preinstalled in a client computer and software including a protocol for biometrics authentication are disclosed in JP-A No. 2002-258974. There is no doubt that the disclosed technology is effective to prevent the of phishing crime.
JP-A No. 2003-132290 discloses an authentication system using image information.
JP-A No. 2005-71202 reveals an authentication system using an array of image information representing checking symbols. The disclosed authentication system is effective to prevent spoofing and website faking through personal authentication of websites.
JP-A No. 2004-213117 discloses a process of reentering a random number, that is temporarily generated depending on a predetermined graphic pattern, into a password field.
JP-A No. H10-289210 discloses an input means for allowing a user who is unaccustomed to computer operation to easily enter authentication information using image information.
Installing a certificate in a computer poses a certain limitation on the convenience of the user because the user is restricted to the computer for use as a terminal. A system which needs biometrics authentication requires that biometrics authentication apparatuses themselves be in widespread use. Incorporating biometrics authentication into systems that are under threat of phishing crimes, such as retail banking services, is subject to the common use of biometrics authentication apparatuses in the social infrastructure.
Even if a fake website pretending to be a certain original website does not accurately recreate the behavior of the original website, it is possible for a user to enter an ID and a password into the fake website once the user trusts the deceptive website or through mere negligence.
In order to prevent fraudulent transactions through phishing, it is important to provide servers with technical measures for preventing malicious individuals from easily making fake websites and also for preventing IDs and passwords from being stolen.
The authentication technology based primarily on IDs and passwords suffers from the following problems:
The first problem is that characters entered from keyboards to produce passwords belong to a code system which is commonly used in the world that is referred to as character codes such as ASCII, UNICODE, or the like. The number of characters is limited, and all alternatives to them are already known commonly to all users including criminal phishers.
The second problem is that site certificates and authentication components installed in clients for confirming the site certificates fail to address vulnerability created by easy construction of fake websites.