Phishing sites are increasingly becoming a global issue, affecting even major companies such as Amazon and Netflix, as well as South Korean giants like 11st and Naver. These phishing crimes involve mimicking official service websites to deceive users, and they are on the rise.
Users unknowingly enter their credentials into fake pages, believing they have logged in successfully. In reality, these fake login widgets are designed to accept any input and transmit legitimate user credentials to a hacker’s database.
Phishing sites do not stop at stealing login credentials. For instance, fake pages mimicking online shopping malls lure users into making payments. Believing the page is legitimate, users proceed with their transactions, only to have the money transferred to a hacker’s account. Victims end up with financial losses, having purchased nothing in return.
Such fraudulent activities have persisted for years without resolution. When users suffer losses, service providers often claim to be victims as well, expressing their grievances. However, they rarely show genuine effort to tackle the issue, instead hiding behind the excuse that “there is no solution,” allowing the problem to persist.
A Solution: ITU-T X.1280
The technology to address this issue already exists. ITU-T X.1280, an international standard known as the “Out-of-Band Server Authentication Framework Using Mobile Devices,” offers a mutual authentication structure between services and users.
Unlike traditional authentication methods (e.g., IDs and passwords, or biometric authentication), where users send their credentials directly to a server, this technology prevents phishing by involving the service itself as an active participant in the authentication process.
How X.1280 Works
- The user enters only their ID and initiates a login request.
- The service displays a six-digit OTP or one-time authentication number on the login page and sends a push notification to the user’s mobile device.
- The user’s mobile device generates the same OTP.
- The user visually verifies that the OTP on the login page matches the OTP on their mobile device.
- If the numbers match, the user proceeds by approving the login via biometric authentication on their device. If not, the process is terminated.
- Once authentication is complete, the user’s credentials are securely transmitted to the server.
This process is not complex but effectively eliminates phishing by requiring active participation from the service in the authentication process.
Free Technology and the Barriers to Adoption
Remarkably, X.1280 is being distributed globally for free by the non-profit organization Passwordless Alliance. Despite this, many companies have yet to adopt the technology. Global corporations remain slow to act due to their rigid communication structures, while mid-sized companies cite internal constraints as excuses for delaying implementation. Even with a solution readily available, they continue to stand still as phishing crimes persist.
What Should We Do Now?
This technology is not merely a preventive measure; it is a practical solution to the epidemic of phishing crimes. Service providers must stop portraying themselves as victims and take responsibility by adopting this technology to protect their users. Likewise, users must demand safer authentication methods and assert their right to security.
The choice is now in our hands. Together, we can build a world free from the dangers of phishing.
