How Color Can Prevent Your Users from Getting Phished

Written by igliu | Published 2019/02/25
Tech Story Tags: security | phishing | nodejs | web-security | phishing-prevention

TLDRvia the TL;DR App

It’s surprisingly difficult to know whether an email you’ve received is trustworthy.

Why is this so hard? Well, you can’t trust the sender name. You can’t trust the email’s aesthetics. And you definitely can’t trust the copy. To be safe, you need to verify the sender’s domain name and the domain of all outgoing links.

Put yourself in the shoes of a random user and try to decipher “efax.hosting.com.mailru.co” or “drive.google.com.download-photo.net”. It’s unreasonable to expect the average user to be on high alert every time they open their inbox, so let’s find a better way.

Using color

The fundamental problem is that the information you need to determine whether an email is safe is 1) hard to find and 2) hard to understand. In a perfect world, this information would be 1) easy to skim and 2) impossible to misread.

There are a handful of ways to verify you’re talking with the right person. You can verify 1) something they are (biometrics), 2) something they have (2FA codes), or 3) something they know (passwords). It’s not immediately clear how we might associate emails with senders’ biometrics or 2FA codes, but we can definitely work off the idea of an “email password”.

We provide websites with passwords to verify who we are all the time. What if websites needed to provide us a password so that we could verify who they were? And what if these passwords weren’t complicated strings but rather easy-to-skim colors?

https://github.com/turbomaze/colorful-phish

Imagine this: the moment you created a password for a website, they created one to use with you. In your welcome email, they told you what this password was: a specific color, unique to your account. From that moment forward, you could rest easy knowing that if an email didn’t contain that exact color, then you were getting phished.

Here’s an example of what one of these welcome emails might look like:

And we’re done. Colors are simple to implement, easy to skim, and impossible to misunderstand. Check out colorful-phish on GitHub for a Node.js implementation that will help you eliminate phishing on your site with 3 lines of code.

If you have any thoughts or want to riff on related ideas, you can find me on Twitter at https://twitter.com/@imigliu.

Written by igliu | Making it easy to use the next generation of domain names @ https://namebase.io.
Published by HackerNoon on 2019/02/25
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy