A PayPal researcher argues in a new paper that a combination of randomized user interfaces and back end screenshot comparison tools could effectively put an end to clickjacking attacks, one of the most prevalent online scams.
Brad Hill of Paypal argues in a new paper for a method he calls “adaptive UI randomization.” The new approach combines randomized changes to user interface elements with the statistical analysis of first click success provided by screenshot comparison tools like NoScript’s ClearClick. It can effectively mitigate all common classes of clickjacking attacks, Hill argues.
Clickjacking attacks use standard Web user interface elements like iFrames to fool visitors to a Web site into behaviors that are advantageous to the attackers. Clickjacking attacks are increasingly common on social networks like Facebook, where scammers and cyber criminal groups will use iFrames or other tricks to fool users into “liking” content or clicking on malicious links.
User interface randomization has long been suggested as a way to combat clickjacking attacks. However, it has a number of limitations. Randomizing the layout of a user interface can lead to poor user experiences, among other things. In addition, randomization alone still allows for clickjackers to enjoy a reasonable rate of success with their attacks.
However, combining UI randomization with back-end statistical analysis helps to overcome these limitations. You can read the entire PayPal report here, and you may want to if you’re into math and statistical analyses.