Since current attacks involve tricking human users by presenting replicas of trusted interfaces, there are substantial social science issues involved, including legal issues related to the responsibility of financial and other institutions that use web authentication, and human factors questions about how users are fooled into entering sensitive data into malicious web sites, or fooled into installing spyware that then carries out malicious activity on the users computing platform. Because this problem is highly visible and affects many users beyond the research community, this area presents an excellent opportunity for outreach, education, and technology transfer. We believe that practical methods, delivered directly to concerned individuals or concerned enterprises, will have broad societal impact and will reflect positively on the TRUST center and its sponsors.

Integrative Testbed: This collaborative TRUST project, involving faculty and students from computer science and law, will examine the social and legal context of identity theft, develop improved technology to combat phishing, spyware, botnets, and related threats, pursue technology transfer opportunities, and study the policy and legal implications of intrusive activities and possible defensive measures. Participation to date has come from computer science departments and law schools at Berkeley, CMU, and Stanford; additional participation from other universities or TRUST industrial partners will be welcomed. The identity theft thrust has four primary objectives.

1. Understand how users perceive their vulnerability to identity theft attacks and how well they understand the privacy threats associated with installed software.
2. Develop mechanisms for detecting potential and actual loss of personal data from computers.
3. Build and demonstrate active systems that prevent identity theft.
4. For each of our proposed mechanisms for detecting identity theft and preventing identity theft, understand the policy implications and legal implications

Research Collaboration: Berkeley participants Tygar and Dhamija have developed dynamic skins anti-phishing technology, have performed user studies of anti-phishing methods, and have analyzed other identity theft techniques such as acoustic emanations. Berkeley Law member Deidre Mulligan has experience with legal issues related to identity theft, as does Stanford Law member Jennifer Granick, co-leader of a recent study of spyware technology and legal issues at Stanford. CMU faculty Perrig and Song and their students have worked on botnet detection and enhanced web authentication methods. Stanford faculty Boneh and Mitchell, with their students, have developed a series of software browser extensions that combat identity theft and collaborated with Granick on spyware study. Stanford professor Rosenblum designed virtualization methods that are central to the planned SpyBlock effort.

External collaborators in the ID Theft project include:

• DHS/SRI Identity Theft Technology Council, a group that includes representatives from financial service companies, leading auction sites, and related organizations.
• RSA Securities has engaged with Stanford, under DHS sponsorship, to transition a password hashing method to their commercial identity management product.
• Google has hosted a Stanford intern who has helped incorporate Stanford SpoofGuard technology into a Google toolbar release in spring, 2006.

Activities: Our accomplishments to date are decentralized, although collaborative discussion began at the June TRUST kickoff meeting and has continued through the 2006-2007 planning process. We plan to compare methods from different campuses in our evaluative studies, and integrate compatible methods in future software distributions.

• SpoofGuard is a browser extension designed to help prevent phishing by detecting attacks in progress. The extension, which predates the TRUST center, is freely available at http://crypto.stanford.edu/SpoofGuard/. Integration into a Google toolbar was completed in the past year.
• Dynamic skins automatically customize secure windows and provide visual cues that help prevent phishing attacks.
• A "phoolproof phishing prevention" effort produced an authentication protocol that leverages Bluetooth-enabled cell phones to circumvent malicious code on a client station.
• PwdHash, developed in part before TRUST funding was received, produces a custom passwords for each site, in a manner that combats phishing and other password attacks. The software is freely available at http://crypto.stanford.edu/PwdHash/
• Initial progress on botnet detection has been completed, with planned conference submission for summer 2006.
• A spyware project studied commonly deployed spyware and developed technical foundation for legal action, in collaboration with Stanford Law School.
• A semantics-based malware detection method has been developed and tested (at CMU).
• Education and outreach efforts include course modules on identity theft (to be completed spring 2006) and interaction with law enforcement (Secret Service, FBI Infragard) and private companies concerned with identity theft (e.g. PassMark Security).