In the more general case, window personalization may be applicable to any situation in which users need to confirm that an interface is being presented by an entity with which they have a prior trust relationship, and not by an imposter.
As one example, there have been a number of publicized cases of
fake automatic teller machines (ATMs), set up in public places and used
to steal card and PIN information from unsuspecting customers. If
window personalization were employed, the ATM
could be expected to display the user's personalized window style
at the time it requests the entry of the PIN number.
The absence
of the correct window style would be a signal that the machine did
not have access to the bank database of window styles corresponding
to cards, and therefore should be regarded with suspicion.
A similar problem arises in the case of point-of-sale (POS) transactions, in which the user must communicate with a trusted entity, the bank or perhaps the stored value card, via untrusted POS equipment belonging to the merchant. A corrupt merchant might have modified the POS equipment to display a false charge amount, in an attempt to trick the customer into entering a confirmation for a charge which is actually larger than that which appears on the POS display. If, however, a personalized display style is a shared secret between the user and the trusted entity, then the user can take the display of the charge amount in the correct style as confirmation that the amount displayed is the actual charge according to the trusted entity, even though it is displayed on untrusted equipment.
The careful reader will note that these examples are not fully
satisfactory. He will wonder: why can't a trojan horse POS system
perform a ``man in the middle'' attack -- actually connecting to the
POS network, observing the message transmitted in both directions,
and recording the information for later pickup? That attack is
certainly possible, although it requires substantial preparation;
the attacker would need to connect to the POS network (or subvert
an existing POS), properly authenticate the bogus POS machine to the
bank, and then interpret formatting messages coming from the bank
and properly adjust the display presented to the user. While this might
perhaps be possible, it certainly would require a much higher level
of skill to successfully pull off this attack.