In February 2021 global media were in an uproar due to this horrifying news - “Hacker tries to poison water supply of Florida city” https://www.bbc.com/news/world-us-canada-55989843 We know that many of the attackers get a back door opened to take over the systems. Probably around the top of the list of weapons for opening the backdoor is compromising the passwords of the staff of target organizations. ‘Phishing’ is known to be particularly effective in it. The nasty threats of phishing attacks can be detected and thwarted by a simple tweak of the log-in process with a wise use of our episodic image memory; enable the user to register an image of their own (not shared on SNS) as a credential of the genuine log-in server When the genuine service desk sends an email to a user, for instance, to ask them to feed their log-in password, the genuine log-in page should be able to show the user’s image - along with dozens of other images. If the user is shown a log-in page that does not show any image that the user can recognize right away, it would be suspected to be a fake log-in page – Beware! The image to register as a credential of the genuine log-in page should desirably be of episodic memory. We announced this method 18 years ago. -------------------------------------------------------- Have you taken note that we wrote “show the user’s image ALONG WITH DOZENS OF OTHER IMAGES” in the above? This element plays a crucial role in our scheme. A would-be phisher can easily copy the log-in screen and show it to a target user whose User ID is known. But the phisher does not know which image was registered by the user as the credential of the genuine log-in server as against the other images, whereas both the user and the genuine log-in server know which one was registered. We ask the user to pick up the registered image and also several other meaningless images in a random sequence; The outcome will be that the genuine log-in server will know that the user has selected the registered image in the choice, while a fake log-in server will not know it, If the user is given a password box when the choice does not include the registered image, the user would know right away that it is a fake and proper actions would be taken. The phishing process will have to stop there. Copying the genuine log-in page would thus take the phisher nowhere. After this screening of fake log-in servers, the user will be asked to go through the authentication by a password, desirably by Expanded Password System (EPS) where it is available. EPS comes without the likes of a password box. Ref: "Impact of Episodic Memory on Digital Identity" https://www.linkedin.com/pulse/impact-episodic-memory-digital-identity-hitoshi-kokumai/

1. Detection of Phishing
by Episodic Image Memory
2-factor authentication schemes, which help servers to detect fake users,
does not help users to detect fake servers.
Our own volitional actions based on correct knowledge are needed.
Episodic image memory helps
Mnemonic Identity Solutions Limited
22 February, 2021

2. Flow of Operation
This is a cat who used to live with my family 20 years ago.
I have never shared her photo on any SNS. I registered
her as the secret credential for the log-in server. .
The genuine log-in server is supposed to include her picture in a group of
images that are shown to me when I am required to reset my password or
feed my password in extraordinary situations.
I am certain her photo of my emotion-colored episodic memory will jump
into my eye when shown to me even after many years’ of interval.

3. Now, I am requested to feed my password on
a seemingly authentic log-in server.
If I am guided to a password box straight away,
it is a phishing page.
If I am shown my cat in a group of pictures like
this, however, it does not mean that it is an
authentic server.
These picture might be a copy taken from the
authentic server, on which a phisher might be
trying to lure me to teach them my secret.
My volitional actions based on correct
knowledge are needed.

4. Now, I select 6 pictures, all of which are
meaningless to me.
If I am led to a password box, I am
watching a phishing server. I will
immediately ask the people in charge to
probe this server.
If am not led to a password box, it does
not necessarily mean that I am talking
with the authentic server.
We could repeat the same process
some more times to increase the level
of certainty.

5. I now select different pictures, all of
which are again meaningless to me.
If I am led to a password box here, I
am watching a phishing server.
Well, we need to consider the
possibility of a phisher speculating
that I might well teach them my
secret during the first few trials at a
high probability.
.

6. Critical in this scheme is that users are given
the freedom of choosing the stage at which
they select their secrets; they might select
them at the second or third stage. They might
also opt to repeat many more fake choices.
Here, I select yet different meaningless
pictures.
If I am shown a password box here, I need to
do the needful to get the phishing server
taken down.

7. Phishers, who are aware that they have
to predetermine at which stage they lure
the users to their fake log-in page, must
know they have only one chance for it.
The phishers are supposedly conscious
that their phishing server could be
probed immediately after the first
mismatch.
Here, I opt to make a fake choice again.

8. Another fake choice.

9. Now, I include my cat in this choice, although
I could opt to do so after several more fake
choices.
If I am not led to the password box here, it
tells that I have been talking with a phishing
server. I will do the needful.
If I am led to the password box, I judge that
this is the authentic log-in sever at a
reasonably high probability.
Users, who want to have a yet higher
certainty, may opt to spend a few more
minutes with another image of their hard-to-
forget episodic image memory.

10. Not for Low-Value Account
Very bothersome for users?
Yes, it takes as long as minutes instead of seconds.
This scheme is suggested for the passwords of high-
value accounts that justify spending an extra few
minutes for infrequent but critical occasions.

11. What Else?
Phishing is so hard to tackle. It would be no surprise if people look to the power of
2-Factor Authentication. But…
Phishers do not have to bother to judge whether a presented token is a certified
one or not, but could simply pretend to have judged it as correct before demanding
our passwords. The phished password could be abused elsewhere.
It is the phishers that control the screen shown to us. With this knowledge, we
might be able to hold our password; present a wrong token and see how the log-in
page behaves; if it is accepted, we are watching a phishing page. People who do not
have this knowledge could easily fall victim to phishers, possibly unknowingly.
Our own volitional actions based on correct knowledge are needed. In view of the
nature of phishing, we find no other ways.

12. More Tweaks
Whatever belongs to “our own volitional actions based on correct knowledge”
could work as an additional component; for instance, a world map on which we
register and locate a certain place where we had personally experienced an
unforgettable event that we still remember vividly after many years.
Needless to say, when we build a server-based Expanded Password System, we will
have it incorporate this defense layer of phishing detection.