Spoofkiller is a research project that aims to dramatically reduce the impact of app and web spoofing, and indirectly, of phishing. Estimates indicate that it will reduce worldwide losses due to phishing by at least 80%, once fully deployed (see curve). Zirco Secure is a modification of Google's Zirco browser that adds the SpoofKiller features. This is not yet a consumer-grade product, but simply a proof-of-concept application. Here is the theory behind SpoofKiller:Viewing the problem of spoofing from the perspective of the attacker, it becomes evident that in order to be successful, the attacker has to both (1) trick his victim, and (2) benefit from the actions of the victim. While this may seem redundant to call out, it is crucial to the understanding of how to defend against spoofing. Typical anti-spoof technologies relate to the first of these two phases; they either provide positive indications for good sites (such as the SSL lock, or coloration of URL address bars on sites with EV certs); or they provide negative indications for bad sites (such as popups warning the users of blacklisted sites.) This is not a successful approach as it depends on the awareness and judgment of the user. Spoofkiller addresses the problem by relating to the second phase: it makes certain that an attacker that has managed to trick the victim does not benefit from the actions of the victim. “Being tricked”, in the context of a spoofing attack, means to carry out the same set of actions as would have been carried out on the legitimate counterpart of the spoofed site (or app). Therefore, the very same user action must result in login success on a good site, but failure to collect credentials on a bad site. This, at first, appears counter-intuitive or even impossible, but turns out to be possible to achieve and deploy without any infrastructure changes. Spoofkiller causes different results given the same user action. This is achieved by identifying whether a webpage (or app) is on a whitelist when a user signals that he or she is about to log in. Whitelisted webpages/apps are then allowed to proceed to execute (which results in a login), while those that are not whitelisted are interrupted by the browser or operating system. Special cases are managed to deal with good webpages/apps that are not whitelisted; and to message users who have not yet learnt (the slightly modified) login procedure. The new login procedure involves pressing a hardware button, such as the power button. (While this may at first seem to cause additional friction, convenience features can be added to this action to incentivize users to use the Spoofkiller functionality.)Very broad patent coverage has been obtained. A deployment strategy has been developed, in which PayPal, the owner of the intellectual property, provides free licenses to any company, to encourage adoption. (The only provision would be that PayPal be on the whitelist of the solution; the relevance of the whitelist is described below.) This would not provide PayPal with any direct revenue, but it is expected to result in a large indirect benefit due to the marketplace being more secure. As such, it would benefit everybody in the marketplace, except the fraudsters, of course. SpoofKiller was developed by Markus Jakobsson, Principal Scientist of Consumer Security at PayPal. See www.markus-jakobsson.com. ZircoSecure was developed by Markus Jakobsson and Hossein Siadati. To understand the exact functionality of SpoofKiller, please see www.spoofkiller.com, or contact Markus via his webpage. If you are interested in developing SpoofKiller for another browser, please contact Markus.