Spoofkiller: You can teach people how to pay, but not how to pay attention

Abstract

We describe a novel approach to reduce the impact of spoofing by a subtle change in the login process. At the heart of our contribution is the understanding that current anti-spoof technologies fail largely as a result of the difficulties to communicate security and risk to typical users. Accordingly, our solution is oblivious to whether the user was tricked by a fraudster or not. We achieve that by modifying the user login process, and letting the browser or operating system cause different results of user login requests, based on whether the site is trusted or not. Experimental results indicate that our new approach, which we dub “SpoofKiller”, will address approximately 80% of spoofing attempts.