A professor and two students at Carnegie Mellon University’s CyLab have developed software designed to protect Web users from phishing sites by getting their mobile devices involved.

Called the Phoolproof Phishing Prevention system, the program provides strong authentication between the user’s browser and a Web site by using a third party – namely a cell phone or PDA – to act as authenticator, according to university officials. The idea is to keep Web users from logging into, and subsequently providing sensitive or financial information to, fraudulent sites posing to be financial institutions or retail outlets.

Using SSL, the system stores a cryptographic key for each of the user’s designated online accounts on a mobile device. When the user wishes to visit one of these sites, he or she selects the bookmarked secure site from the mobile device’s browser, which then launches a browser window on the user’s PC. The PC retrieves the Web site’s certificate and forwards it to the mobile device, which verifies it and sends along the user’s certificate.

Then, from the PC’s browser, the user logs into the site with a name and password. The site’s server verifies the user’s name, password, and certificate, and grants the user access to the site.

Researchers behind the system say it turns mobile devices into “secure electronic key rings,” and even if the devices are compromised Web accounts can’t be accessed because they require the correct user log in and password to accompany the certificate.

Currently researchers have a prototype version of the system working, and are hoping to release a more finished version soon.

* Check out Network World's Alpha Doggs blog for networking research at university and other labs.