Anti Passwords

Phishing attacks are quite popular on regular websites and most times they are easily distinguishable by their urls, lack of https, or by being poor imitations of the websites they are attempting to phish.

But what of phishing done in a mobile app? Felix Krause just showed how easy it is to fall prey to a phishing attack on a mobile platform; his test scenario was on the iOS platform which is the most secure of the two dominant mobile OSs out there.

Below are his recommendations on how a user can defend against an attack like this…

Hit the home button, and see if the app quits:
If it closes the app, and with it the dialog, then this was a phishing attack
If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept like you should never click on links on emails, but instead open the website manually
If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.”

Using Anti Password

I would like to add to his recommendations above: I am proposing that every user should have something called an “anti password”.

An “anti password” is a string of characters that is suitable for use as a password but the user knows isn’t a legit password.

The aim is that a when user gets a request for password prompt especially on the iOS platform, the user starts by inserting his “anti password”, if the UI prompt for password is legit then it will request for a password the second time assuming an error was made; if it was a phishing attack it would accept the “anti password”.

So two things have been achieved here, the user knows that there is a phishing attack against him and the user has fed the attacker with bad information.

This is an untested proposition as I don’t have skills or know-how to prove that it will work, but I am throwing it out in the open to hear what people in the security domain would say.

Waiting for comments and feedback.