Since we wrote our paper on private browsing mode security violation two years ago, I have been curious to know how many people are using their browser private mode and for what. The release of the Google Consumer Surveys product which allows to run a for an affordable price a survey on a statistically significant population gave me a chance to answer those questions.

Disclaimer: I ran this survey on my own time and money and this blog post solely represents my personal opinion.

The survey consisted of two questions: the first one to know if people were using their browser private browsing mode and the second one to know what they are doing with it.

Do you use private browsing ?

The overall results of the first questions, visible in the chart above, give us two insights:

- A significant number of people (19.1%) use the private browsing mode. Which means that it is a useful feature and that any work on improving it has a huge impact.

- 44.9% of the users don’t know what it is. This mean there are a lot of users that still don’t know they have the option of using their browser in this mode. A significant educational effort seems required to reach out to those users.

As visible on the diagram above, the breakdown by gender reveals that men are using the private mode significantly more (statistically speaking) than women. Slicing the data by income does not provide any significant insights.

What do you use private browsing for ?

The answers to the question “What do you use private browsing for ?” are dominated by the other answers as visible on the diagram above. When excluded, it appears that people are mainly using private browsing for searching information. Which makes me wonder if people don’t have the wrong expectation about private browsing that is prevents website from tracking them (People expectation regarding private browsing mode will be the subject of an upcoming survey.)

I also wonder how much of other is related to watching video on an office computer during lunch break. If you are using private browsing mode for a specific activity let me know in the comments.

Breaking the results down by gender reveals that women mainly use private mode for searching information and shopping. For men it is more contrasted (with no statistically significant insight) with a lot of men answering other.

The last bit of information that I was surprising to me, is how many women report browsing adult websites in private mode. I hadn’t expected such a high percentage (9%).

Drop me a comment below to let me know what you think of the this survey and if you would like more of those (and on which topic ?)

Bursztein.net is born

In 1999, when I started working for Club-Internet, one of the major french ISP, I decided to stop doing my site on X-files and  create a personal homepage (that was the hip term at that time). I chose bursztein.net and went for the simplest possible site (as visible on the left side). You might notice that at that time, I cared so much about my IRC handle  Lupin that it was in the title of my site that I also used  in a Phrack article ^^. Lupin comes from Arsène Lupin a famous gentlemen thief in Maurice Leblanc books. From the start my webpage was in French and English mainly because I was spending too much time on English speaking IRC servers.

PHP and ugliest design ever

In 2000, I started to host my site on my personal server (something I am still doing today). Hosting my site allowed me to use PHP (3 at the time) to write my site. I mainly used include which allowed me to separate the menu / design from the content. I also used it to display a random quote on the page. At that time I was very fond of  3d so I decided to do a pseudo “3d” banner. As visible on the screenshot the result was very ugly… I used this design for only a couple of months.

Javascript and an excess of tables

In 2003, I changed again my website. At that time I was  playing a lot  with javascript and found I can do  cool effects with it. So I decided to redo the website and have a top banner where each rectangle will flip randomly using a simple switching effect. A live demo of the site is available here. I also randomize the image for a greater effect.  It is also at that point that I realized the limit of using <table> to design a website: I  used  36 nested tables for this layout…

The Phd  years

Shortly after stating my Phd, I decided to drastically change  the technology behing my website. Instead of using a hand-coded site, I decided to use WordPress as a CMS. I was already using wordpress for my blog  (which was at the time inftoint.com: from information to intelligence). I settled for very Apple-ish design as visible on the screenshot.  I experimented  with various designs but the Applish one remains my favorite

The Stanford years

Few months after I started working at Stanford I decided to move from bursztein.net to elie.im (I would have love elie.net but I was not able to get it and el.ie is not allowed). I felt it would be easier for people to type it I also merged my blog with my site. My goal was to have the fastest and easiest  site possible. To achieve these goals, I decided to switch back to a hand-coded site as I wanted to have more flexibility and a lighter framework that WordPress offered. However I did kept I kept using Wordpress for the blog. The version of this site was released,  in 2009. This is the system that was up until today. Over the last two year, the layout and underlying system have evolved a lot: for instance I  tried to  simplify the UI, I added a search engine and started to use a CDN (Amazon) for static files. Overall I feel that getting back to a custom site was a win as I learned a lot about speed and SEO optimization. Having a CDN helped a lot to absorbe the burst of download when the press featured our articles (I had about 2MBits of bandwidth at the time).

The Google years

At the end of 2011 between job, I decided to redesign and rework my site so it will became what you see today (let me know what you think of it in the comments).  Over the last three years, I have thought a lot of what was the purpose of this site is.  This reflexion lead me to the following drastic shift of perspective (a big thanks to Arvind here for sharing his insights)

Until 2010, I measured success by looking at the number of visitors which now I consider to be  the wrong metric for measuring success for me. I came to the realization that this site is about sharing my research with you and should be optimized for this. Accordingly in 2010, my metrics became the number of people who actually download a publication or share it with their friends.  I now almost exclusively look at this in Analytic as visible on the screenshot of my dashboard. I also monitor closely the bounce rate on the publication list page and the homepage because if people leave there they didn’t find what they were looking for

These metrics drove the simplification of the previous version and the introduction of the custom search engine. They are also the driving force of this new version.  As a result, this new version is designed to help people finding as quickly as possible what they are looking for, and incite them to read and share more .

Here are some of the choice made to help reaching these goals:  The search engine and social icon are more prominents and both on the top and bottom of the page.  There is now a breadcrumb to help deep-link page to be clearer. Similarly,  I added a small bio on the right column so people understand what this site is about regardless of the landing page. I also made sure that the important informations are above the fold for immediate access. To incite visitor to read more, I have implemented a recommendation system.

Regarding the design, I tried to make it more polish and tablet friendly. A major change is that, I finally took the time to write a wordpress theme that ensure that the blog design is consistent with the rest of the site. Hopefully this will make user experience with the site better. On the technical site, it is worth to note that the site use an adaptative design (try to reduce the size of the window to see what I mean).

To improve performance, I rewrote my javascript loader so everything except the CSS and a tiny bit of javascript is loaded asynchronously after the first rendering. Test shows that the page weight less than 300 k0 (with compression) and is rendered in less than 500ms on a decent cable connection.  The site uses extensively sprites to minimize HTTP requests.

Overall I hope you will enjoy this new version and will keep reading me Let me know if you like the new design, what you would change and if you found any bugs.

Responsible disclosure

Before getting started, it is important to mention that this post is a responsible disclosure:
I have been in contact with the CEO of NuCaptcha for a couple of months now and have shared with him the result of our research way ahead of time, so they had plenty of time to get ready for this post (you can read their answer here)

I also want to emphasize that the goal of this post is not to demo another cool attack (even though the algorithm is pretty nifty).  Rather, I want to start an open discussion on the viability of our tracking resistance principle and to allow everyone to contribute to making video captchas a viable alternative to more traditional captcha schemes.

Feedback Welcome

While discussing ongoing research (that is, before a research paper is accepted or submitted) is unorthodox in the security community, the numerous interactions I’ve had with various companies over the last 3 years made me realize many people rely on research results to design captchas. In this context, it is our duty to provide them the best and most secure design guidelines possible. I strongly believe in the example set by the cryptography community, that the best security is achieved through an open process and not with secrecy or isolation.

Accordingly, this post summarizes our understanding of video captcha security and the reasoning that leads us to believe that tracking resistance is the best principle to make video captcha secure.

The most difficult part of this research turned out not to be breaking NuCaptcha, which I’ve known how to do since December 2010, but rather to come up with the right abstraction to explain why video captchas might offer better security that image captchas and to synthesize where the extra security comes from.

With this in mind let’s get started on how to break NuCaptchas before discussing how to make them secure.

The NuCaptcha Scheme

There are currently two different versions of  NuCaptcha: a ‘simple’ version and the ‘standard’ version. The simple version looks like this:

The standard version looks like this:

As visible in the screenshot, the standard version differs from the simple version by a text animation from right to left.  The user is then asked to enter the last word in the input box in the standard version. This scheme has multiple levels of security:  In its easiest version the letters of the last word are in red, in the hard version the letters are in black and more heavily distorted.  According to the site documentation, NuCaptcha uses a reputation algorithm to decide which version you get.  Under the hood the NuCaptchas are short video files that contains about 500 frames.

Which version to evaluate?

Since our technique successfully breaks the simple and the standard version of NuCaptcha, I am going to stick with the standard version because I believe that motion is the key feature to create a secure video captcha.  To keep things fair, we are also going to focus on breaking the hard version and not rely on any of the advantages provided by having the letter in red or having them less distorted.

Background customization

NuCaptcha allows users to choose between various background to customize their captchas. However, as we showed at CCS last year (available here) in our paper on breaking and securing text captchas, removing the background is fairly easy with the right algorithm so we are going to stick with the default one.  Regardless of the background chosen, but our attack still applies.

Attack algorithm overview

Overall, breaking a NuCaptcha captcha is done by accomplishing the 5 phases depicted in the diagram below. The attack algorithm assumes NuCaptchas that have been converted into frames.  This step can be trivially executed using off-the-shelf software, so we will not discuss it here.

The pre-processing phase involves removing the background and binarizing the captcha in black and white so it is easier to process.

The frame analysis phase is then used to find the object in each frame can potentially be the captcha.

The cross-frame analysis phase combines the frame analysis results to isolate the set of frames where the actual captcha is present.

The segmentation phase aims at separating the captcha letters. As we will see there are a couple of ways to do this–having multiples distortions of the same captcha actually gives us an opportunity to be more efficient at segmentation than with a standard captcha.

Finally, the recognition phase is used to recognize each letter individually using a machine learning algorithm.

How does it compare to standard text-based captchas

Compared to breaking image-based captchas, attacking video captchas is both harder and easier.
It is harder because motion tracking is necessary to isolate the frames that contains the actual captcha. It is easier because being able to analyze multiple copies of the same captcha can boost the accuracy of the segmentation phase.

Since the pre-processing part and the recognition part are very well understood and use well-known techniques, I am going to skip them to keep this blog post shorter. If you are interested in the subject or need a refresher, please read my paper on attacking image-based captchas (available here).

Finding the captcha

Before we can attempt to segment the captcha, we first need to find the frames in which it appears. We assume that each NuCaptcha has a different starting point in the animation, as we want our attack to be robust and not to rely on easily fixable features.  Our first task is thus to isolate the frames that contain the captcha itself, and within these frames isolate the captcha from other words that appear.

To achieve this we track and analyze the words moving in the captcha using image and motion tracking. Our captcha isolation technique works backward and  is done in two steps: First we isolate the most interesting object in each frame (see next section), then we track theses objects across multiple frames and keep the set of 50 frames that contain the overall most interesting object.

Frame analysis: finding the most interesting object

We relying two type of image analysis to isolate the most interesting object in each frame: a bounding box shape analysis, and an interest points (SIFT algorithm) density evaluation.

An example of a frame where the object bounding boxes (the yellow squares), and object interests points (purple crosses) are computed is visible on the screenshot below:

Based on these features, we found two ways to select the most interesting object:

First, we look at the bounding box shape ratio width/height. Because the captcha is 4 letters long, we use a heuristic that the bounding box must have a width/height ratio of greater than 1.  We then discard every bounding box that is above or below certain thresholds, as we roughly know what the expected ratio is after looking at a couple of captchas.

Second, we look at the SIFT (Scale-invariant feature transform) interest points density by bounding box. As visible on the screenshot above, the captcha bounding box contains more interesting points that the other boxes. This is explained by the fact that the captcha letters are rotated independently and therefore have more ‘edges/corners’ than straight letters. The fact that the letters are rotated also implies that for the real captcha the interests points are scattered all over the box.  On the other boxes the interest points are mostly nears the edges because the letters are straight.

We aggregate theses two observations (more points, more scattering) into a density metric D that will be used to select the most interesting object.  The metric D is computed as follows:  D = Sum(1/distance(p_1, box_center)) where distance is the Euclidean distance and p_1 is each interest point. Basically, D calculates a weighted-sum of all the interest points by giving more weight to the interest points closer to the center of the box.

Combining these two techniques allow us to isolate the most ‘interesting’ object in each frame, by removing the objects below or above the bounding box thresholds and picking up the object for which D is the highest. The result of this selection algorithm for our example fame is visible on the screenshot below (Den being the value of the metric D for the given box):

Cross-frames analysis: finding the captcha

Being able to isolate interesting objects is not good enough because in some frames the captcha will not be present. To isolate the set of frames where the most interesting object is the real captcha, we use the features extracted during the frame analysis step to do a “cross-frame analysis.”

Our cross-frame algorithm works by computing a sliding window over the density metric D on 50 frames. As visible on the screenshots below, where the D value of the window is represented in the red curve, there is a clear spike when the captcha is displayed. So all we have to do is keep the highest spike (which encompass 50 frames) and discard the remaining frames.

Segmenting the captcha

The previous step identified 50 frame containing the captcha, giving us 50 instances of the same captchas that are slightly different (each letter is being animated independently).  Here is an example:

We can exploit these multiple variations of the same captcha in three different ways to help segment the captcha into individual letters.

First we can try to find an instance where all the letters are disjoint, making the segmentation trivial with a clustering algorithm. While we did found some instances where this is the case, this is not a good approach as it is unreliable and can be patched very easily.

The second approach is to try Decaptcha (our captcha tool) on every instance, and uses a voting decision to select the most probable answer. Using this approach, Decaptcha gives a 83% success rate on NuCaptchas. Here is an example of some of the clusters we have on a given NuCaptcha. It can be seen that than some of them are better segmented than others and therefore easier to recognize.

It is likely possible to improve the effectiveness of this approach by factoring the confidence of the classifier in the voting procedure, but since the results with simple voting were already good enough to prove NuCaptcha vulnerable, we ended up not pursing this direction.

A third approach to get close to 100% success rate is to use motion tracking (optical flow) to segment the letters. This approach uses a two-step algorithm.

First, we compute the interest points in each frame and then track them across frames.  You can see an example of this step on the screenshot below:

Second, we compute a distance matrix (using a RANSAC algorithm) to analyze which interest points move together, defined as their relative distance staying almost constant.   Each group of points that moves together makes up a cluster that represents a letter.  We can use these points to know where each letter starts and ends and to perform segmentation, which we show in the screenshots below. Since matching corresponding interest points between frames is never perfect, sometime we have very good results and sometime bad ones. However, since we track letter movements between pair of frames (the frame and the frame + 5) we have a lot of candidates to choose from, and we only need one good match to be successful.

This discrepancy between the quality of the matches is illustrated on the screenshot below:
The left side depict an example where the tracking has generated 6 clusters that are not very accurate. The  example on the right shows a successful clustering based on the distance matrix data. Even though the E, A, and, P are collapsed we are able to almost perfectly separate them using the distance matrix.

Synthesizing the problem

To summarize, animating the captcha allows the attacker to do a “differential” analysis that helps the attack be more efficient.  On the other hand, not animating the captcha is equivalent to having a static (text-based) captcha renders moot any security advantage of using a video captcha.

Toward secure video captcha

So are video captchas worthless? No, but it requires a lot of out of the box thinking for us to find a way out.  It took us significantly longer to understand the root of the problem and how to solve it than to break the current NuCaptcha scheme.

Once we have accepted the fact that the segmentation resistance for video captchas will be equivalent or lower than a standard text-based captcha(as explained above), it becomes clear that the extra-security provided by using a video captcha needs to come from somewhere else–We have to find a hard vision problem to rely upon.

Trying to prevent the computer from finding moving objects using a ‘confusing/moving background’ is a lost cause. The computer vision field has devised very efficient algorithms (optical flow algorithm) that are likely to destroy any attempts in this direction.

On the other hand, it seems possible to make the isolation of the correct moving object very difficult. What we need to do is to remove every discriminative feature (or invariants as Jeff Yan calls them) that the attacker can use to tell apart decoy moving objects and the real captchas.

For example our attack relies on two discriminative features to isolate the captchas: the number of interest points and the shape of the bounding box.  Both of these features can be nullified by adding (moving) decoys that exhibit the same properties.

NuCaptcha Response

As I said in the introduction, we notified NuCaptcha on November 21st, 2011 informing them we had an attack against their current scheme and iterated with them until December 15th 2011. On February 7th we wrote this blog post and shared it with them. At this time, they provided us an official answer that you can read  here.

Their answer contains two mains points regarding the attack. First on page one, they state, that they have a harder version that add more distortions and where the letters are more crowded.  When scraping their API, we emulate the behavior of a real bot by aggressively timing our requests. While we believe we got the version that a standard attacker might get (which is already harder than the version displayed on site), we have not evaluated the hard version referenced in their response.

With respect to the difficulty of their hard CAPCHA, I don’t believe that these heavier distortions are an efficient defense because even if the letters are more crowded, it should not impact an optical flow algorithm used to separate the letters. Further, I belive the heavier distortions should not be an issue for the recognition phase as it is well known since 2005 that computers beat human when it comes down to recognizing a single heavily distorted character.

The solution proposed by NuCaptcha. Image taken from their response.

Regarding their fix, they propose adding inter-frame manipulation (see screenshot above ) which should mess-up our optical flow analysis by throwing of our distance matrix. I won’t be able to characterize the effectiveness of this technique until they roll out their changes and I can test it. My guess is that it is somewhat less effective, based on the fact than in cryptography adding noise to prevent side-channel attacks has been known to be ineffective (The canonical example being the differential power analysis attack (DPA) by Paul Kocher), but again will withhold judgement until we can test.

Toward secure video captcha

It is likely that there are features other than the two we used that can be abused by an attacker to break tracking resistance. This is why, following the good practices pioneered by the cryptography community,  we decided to ask for your help to find them

This post openly discusses what we already know about video captcha security.  We hope this is the first step in an evaluation process dedicated to make the video captcha tracking resistance a viable option.  I will also discuss this attack in my upcoming RSA talk about captchas in February, so if you are around, I would be happy to discuss it

Methodology

To test if a site has registered their .xxx counterpart, my script perform a whois query and record the answer: If the whois query return NOT FOUND, the domain is assumed free, otherwise the registrar info was recorded and stored to generate the following charts. The crawl was performed on the 26Th December (20 days after .xxx domains became available to the general public)

How popular are .xxx domains ?

The first question, I wanted to answer was how many of the 50000 most popular websites  on the planet did in fact registered their .xxx domain counterpart. The graph below show the cumulative percentage of the websites that did, in fact registered their .xxx domains.

As visible on the chart, if almost all  the top 100 sites (except weibo)  did registered their .xxx domains, the percentage quickly drop below 50% and then stabilize around 20%.

When .xxx domains were registered ?

The second interesting question is when did the companies ordered their .xxx domains ? Did they take advantage of the “sunset period#” to register them early or did they wait the last minute ? Well as visible on the chart below, only 65% of them, did actually  take the time to register them before they the 6th December (Regardless of their real date, every .xxx pre-order are marked as been issued on Dec-1st on the whois data)

One piece of data missing here is how many of the 1595 domains registered on the 6th December are from the same owner than the real websites. I haven’t found a good way to automate this process, so if you have any idea on how to do it , I will be glad to do it. I might end-up using Mechanical Turk even-though it seems overkill.

How made a ton of cash selling .xxx domains ?

Last but not least who did profit the most of selling .xxx domain at 99$ a piece ? The ICM registry that officially operates the .xxx domain registration is the biggest winner with 72% of the sales, as visible on the graph below (careful the graph is in logarithmic scale). Every other domain got at most 3% of the sales. Note that this graph only display data for 8135 domains as the whois information did not return parsable data for the others.

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Today a spam email landed in my Gmail inbox. Because usually Gmail is very good at blocking spam, I took at look at it. This spam email simply contains link to a Google docs that contains the real spam that offers you to get a free diploma as visible in the screenshot below:

Back in 2008 spammers used Google Docs to massively spam users by sharing unwanted documents with them. The documents ended-up in their Google doc home directory. For this new campaign, it seems that they are just sending regular emails with a Google doc link.

The two things I find interesting about this spam campaign is that:

1) it seems that this type of spam effectively bypass the Gmail spam filter: A couple of my friends have confirmed that they also received the same type of spams and it has landed in their Gmail inbox as well.

2) Google doc display the number of viewers so you can see people come and go as they are lured to click on the link. I saw 7 other people taking a look at the document while writing this post (see the screenshot on the right) so it is clear that this campaign is active and “successful” As you can see, the viewers widget, also says that user 9923 and 2079 have opened/closed the document but I think it is a bug (9923 users seems a lot). I also wonder what is the click-rate through the link stored in the document (that will be nice to know).

What can we do about this ? Well you can do two things: first mark the email as spam and two mark the Google doc as spam by clicking on the report abuse in the help section as visible on the screenshot below:

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

One of my current research project, with Jing and a bunch of people of the university of Michigan, is to develop an in-browser defense against phishing, that will be able to detect phishing sites as quickly as they are created.  Instead of relying on a black list, it will use vision and machine learning algorithms.

Before to set out on a journey to find the best way to do this,  we needed to understand why detecting phishing sites is so difficult. There is little information on how phishers operate in the wild so we ran our own experiment and analyzed around 5000 recent phishing websites. Turnout that the results of this preliminary analysis are interesting  by themselves and shed a new light on current phishers behaviors so I decided to share them with you via this blog post.

Methodology

Before delving into the results, let me explain how we got to them. First we collected, phishing urls via Phishtank which is the best resources to get phishing URLs. Next we used these URLs to feed our crawler, which took a screenshot and collected a bunch of information for each of these sites. Then we used Amazon Mechanical Turk (as usual ) to have human review each screenshot and augment our data-set with “human intelligence”. To make sure our data-set is clean, we had every phishing site screenshot analyzed by three different Turkers. Finally we processed the data reported by the Turkers to compute the results that we are going to discuss. In particular we discarded meaningless results and used a voting system to come-up with a stable data set. In then end, we ended-up having data about 1000 phishing websites.  It might not seems a lot of works but trust me, it took us a lot of effort to get there

Type of Phishing

There is two kind of phishing websites: fake sites and scam sites. Fake sites are phishing sites that clone the appearance of the targeted website in the hope you will confuse the two and enter  your credentials (login and password). Here is an example of a Paypal phishing site

Paypal Fake website

Scam site try to talk you into entering your credentials for a dubious reason or another. The screenshot below show a phishing site that attempts to steal your MSN credentials via offering you a software that allows you to know who blocked you. Notice how the phisher, make clear that this is safe to use it ….

MSN Credential phishing via a SCAM

Accordingly the first question that comes to mind is which is the favority phishier tactic ? Faking or Scamming ? Well it is about equal (48.2%, 51.8%) as visible in the graph below:

Phishing Sites Target Type

The next question is what kind of sites phishers are targeting ? Are they trying to steal your bank account, your email, or your Facebook account ?
As visible on the chart below, for those we were able to categorize, Without any surprise  financial services, like Paypal and Banks, are the most targeted. The next big target (no surprise here either) are social networks (Facebook, Orkut…). What is surprising is that the third big type of target, are online games (World of Warcraft in particular) not email accounts. One hypothesis, that explains this trend is that reselling stolen online goods is a lucrative business.

Visual Similarity

One other question, we asked Turkers is to rank  how visually similar fakes sites are to the target site they attempt to phish.  We asked to rank the fake phishing site on a scale from 1 to 5.  1 being completely different to 5 being close to a perfect copy. I was expecting to have a majority of sites to look very similar to their target. Oh boy, how wrong was I, as visible in the chart below in reality most fake sites are poorly executed (on purpose to avoid detection ?).

Here are some examples of phishing sites with different level of visual similarity:

Eve-online phishing site (similarity 5/5 – high resemblance)

World of Warcraft phishing site (similarity 5/5 very similar)

World of Warcraft phishing site (visual similarity 2/5 very few common point with the original site)

Why Detecting Phishing is Hard ?

So why detecting phishing is hard ? Well the results of our analysis suggest at least two reasons: First many phishing sites (51.8%) are scam sites not fake sites which make them harder to classify because we don’t have a baseline for them (the real site). The second explanation is that those who attempt to fake a realsite are poorly executed and therefore are hard to recognize. While I still believe that  machine learning and vision algorithm can yield something (there are previous successful works on this), it is clear that we will need new ideas to deal with scam phishing sites  and poorly executed fake sites. Right now, I am thinking using image content extraction and spacial correlation but only time will tell if it will work. There is also probably more to the data that what I discussed, so if you have an idea let me know

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week headline by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

Evolution of the lock shape

The first infographic below show the evolution of the lock icon itself. The first thing that infographic show is that beside Safari, every major browser vendor keeps revamping the lock icon from time to time. I have included Konqueror in the infographic because, it is the only that uses a shield as security indicator, despite users studies showing that the lock is the best indicator for SSL…

Don’t be surprise to not find Firefox 5+ in the infograhic, it was remove (you know have a blue box on the right of the URL when SSL is on)

Finally one thing that keeps puzzling me is why the Safari (every version) and Firefox icon (some version) are different depending of the OS ?

Evolution of the lock position

The second infographic show you where the lock is displayed in the browser.  One thing to note is that Safari icon position is different whether you use it on Windows or OSX.

Realizing the diversity of  lock shapes and positions makes me wondering if  it is not  one of the reason why users are confused and sometime have hard time to know if the connection is secure or not.  Maybe we should standardize the security indicator shape and position ?

Thanks for reading this post. If you like it please sharing it with the world, it makes me happy You can follow me on Twitter @elie or on Google+

Table of Content

Highlights

The 5 most popular news of the week

This top 5 was established based on bit.ly overall clicks data

Thanks for reading this post. Share your thoughts on last week news by leaving a comment below or sharing it with the world.
You can subscribe to receive these report by RSS or @elie or on Facebook

In this post I want to share with you the two simple steps I came up with to “harden” my credit card security against theft and duplication. In a nutshell, this hardening technique works by removing all the extra information written on the credit card (signature and security code) that are not necessary for it work and are valuable to an “attacker”. If you know another hardening technique please leave a comment or let me know via Twitter  / Google+

Removing the security code

Your credit card three digits security code is located at the back of your card as visible in the photo below:

Its only purpose as far as I know is to “prove” while doing online payment that you “have” the original card as this security code is not contained in the data stored on your card magnetic strip/chip. The problem with having this code in plain sight is that any one who manipulate you card (waiter, cashier..) can easily copy it and then shop online with your credit card.
Before erasing it from the card, make sure you copy this code in a safe location like your password manager BE CAREFUL where you store it as you need it for online shopping. Erasing this code is actually harder than you might think because it is engraved in the card so simply “blanking it” with a marker won’t be enough. So far, I had the most success by first scratch it with a nail-file and then blank it with a heavy marker. It is not perfect but it it is very very difficult to read it after this treatment.

Replacing the signature with the mention “SEE ID”

The other part of the hardening process is to replace the signature in the back of the card the mention “SEE ID”. As far as I can tell, the rational behind having your signature at the back of your card (at least in the US where they generally don’t ask for a PIN code to make a purchase) is to allow cashiers to make sure you are the true owner of the card by comparing the receipt signature and the signature at the back of the card. This approach have obviously two flaws: First the person who stole the card, have plenty of time to look at the signature and learn how to forge it. Secondly the security of this approach rely on the fact that cashiers are able to detect forged signature in a blink of an eye and under bad lighting conditions … So instead of hoping that every cashiers is an expert in graphology it is actually better to ask them to compare the credit card name with a valid ID by writing the mention SEE ID on the back of the card.

Return of experience

I have been using the hardened credit card visible on the picture below for almost two years.

During this period of time, I never had any issue with it: I was always able to pay with it no matter which store or country (US, France, Germany, Italy, Indonesia, Canada…) I used it. The sad part of the story is that very few cashiers ever asked me for my ID which tend to show that this whole signature idea is a fluke. The only stores that consitenly ask me for my ID no matter which one I go, are the Apple stores (Kudo to them). So will you secure your card ? Let me know via the comment system or on Twitter  or on Google+