perfidy

Nerd alert: This is an idea that I wanted to put in a public place, for reference!

One of the most common schemes on the big bad internet is called a phish. I'm sure you've received them -- it's an email that says something along the lines of "famous organization X would like you to confirm your account information, please click on this link and enter your credit card, etc". They're a pretty huge problem, and a lot of web users have been caught unaware, which is absolutely not their fault. It can be very difficult for even an experienced web user to verify that a given web page really comes from the entity described in the contents. Various web browser bugs have contributed to this, over time.

As a general rule, you should never click on a link in an email and enter any important information in the resulting forms. We all break this from time to time; as the schemes become more and more sophisticated, even an experienced user might get fooled.

So here's my idea. Credit card numbers, social security numbers, and often bank account numbers are unusual. They follow well known patterns. If you enter a credit card number that is off-by-one, it will often be rejected by a site because it failed to pass validation.

To increase security, we modify the browser to do the following: If the contents of any input field look like a credit card number (or social security number, or expiry date), we do not submit that information to the web site unless certain conditions are met. Conditions can include presence of a secure connection for the frame containing the edit fields as well as the target of the form submit; presence of the target ip address in a well-known database of acceptable sites, certified by credit card companies; presence of the site in a list of sites personalized for that user.

Credit card numbers can be broken up into multiple fields within the HTML. We check for this by combining all fields to see what's present. Further, we check all fields on the page, whether they have been submitted or not -- this prevents use of scripting languages to extract and encode information entered in one field and supply it to another.

This guides a user towards well-known payee sites, but still allows them to enter their own. When they do enter their own payee, we can thoroughly warn them that what they are doing is dangerous. We can also submit the IP address of the payee web site to credit card companies, so they know which sites are accepting credit card numbers.

I think this scheme is, if not bulletproof, pretty good protection against most phishing scams. It takes a measure of judgement out of the hands of the user and makes an evil site operator jump through quite a few hoops. If nothing else, it would likely result in a dramatic drop in the number of successful phishes.