Phishing protection
by Jonathan Buhacoff

Introduction

There's usually more than one way to do something, and the same is true about protecting people from phishing attacks.

You might have seen companies or products that want to scan all your emails to check for links to malicious sites, or scan all the websites you visit to check if the URL in the address bar, or any URL mentioned on the page, is in the ever-growing malicious sites list. They scour the Internet day and night looks for new malicious sites, and they'll find them because more malicious sites are created all the time. These approaches can never provide 100% protection because they're always behind the attackers -- as new malicious sites are created, there's always a period of time before they are found, and consequently the service cannot protect its users from these sites until they are added to the list. Some people might be tricked by new malicious sites before they are added to the list.

LoginShield is different. We don't try to make a comprehensive list of all the sites you shouldn't be going to, and we don't invade your privacy by scanning every email and every website you visit. Our approach is to identify the sites you do trust and to ensure that the credentials for those trusted sites are only used there and not anywhere else.

How LoginShield phishing protection works

When you use LoginShield to login to a site that is not in your trusted sites list, or if you login to a site from a new browser or device, the LoginShield app shows a safety notice. This just means the site isn't on the list of your trusted sites (or maybe you cleared your browser so we don't recognize it), and we need to route you safely to the site where you're trying to login. If the safety notice takes you to the same website on the same browser you used to initiate the login, it will be added to your trusted sites list so next time you won't get the safety notice.

LoginShield's patent-pending phishing protection makes it safe to login to a website, because your credentials are sent only to the target site, and the attackers never get credentials to impersonate you to the target site. This approach works even if you're the first person to stumble onto a new malicious site. We don't need to know about them in advance.

LoginShield protects you against malicious sites that masquerade as a target website where you have enabled LoginShield on your account. First, because you have LoginShield enabled there's no password to input, so if they ask you for a password, there isn't one that would work (and if you follow the best practice of never reusing a password a multiple sites, you won't accidentally give them a password that works somewhere else). Second, if they try to immitate the LoginShield process by forwarding the QR code generated by the target site, LoginShield will detect that the login is coming from an untrusted site and route you to safety.

Limits to LoginShield's phishing protection

Are there limits to LoginShield's phishing protection? Here are the phishing attacks that LoginShield does NOT protect against:

  • identity theft
  • payment scams

Identity theft

A website might ask for your personal information and then use it to impersonate you somewhere. Unfortunately, there are many legitimate websites that rely on personally identifiable information (PII) such as your address, phone number, date of birth, or state identification number, and for this reason whenever you provide this information anywhere, you are at risk.

LoginShield only protects your online accounts at participating websites. LoginShield does not currently prevent you from entering your personal information on untrusted sites, but if you're interested in this protection please contact us.

Payment scams

A website might pretend to be related to a product or service that you get from a legitimate company or the government, and demand a payment to "renew" something you don't even have from them and don't need. If they even attempt provide anything at all in exchange for the money, it might be just enough of a token product or service to claim that they sold you something legitimate. If you enter your credit card information at such a website, you might be able to do a chargeback when you figure out it's a scam. If you use another payment method, that money might be gone forever.

LoginShield only protects your online accounts at participating websites. LoginShield does not currently prevent you from entering your payment information on untrusted sites, but if you're interested in this protection please contact us.

Conclusion

LoginShield protects you against malicious sites by routing you safely to the target website where you have enabled LoginShield on your account. LoginShield does not scan your emails or scan the content of the websites you visit to look for malicious content. You still need to be careful to avoid identity theft and payment scams at websites that ask you to enter personal information or payment information without logging in. If you're interested in extending LoginShield's protection to these two other attacks, please contact us.

Cryptium

Our mission: empower organizations to eliminate the threat of password and phishing attacks on their users.

PO Box 1401
Hillsboro, OR 97123