Search
Advertisement

Business

Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Threat Intelligence / Strategies

Reversing the Phishing Life Cycle

By Tom Schmidt

As part of its wide-ranging project to combat phishing, the Financial Services Technology Consortium (FSTC) regularly communicates the toll that this threat is taking on individuals, financial institutions, and merchants. Its latest report offers strong evidence that the threat is evolving:

"Initially, only the largest banks were subject to phishing attacks, while smaller banks appeared immune. But recently, as the number, complexity, and sophistication of attacks have grown, retail securities firms and smaller banks are increasingly on attackers' hit lists. As attackers learn by doing, attack life cycles are accelerating, attack methods are multiplying, and ever more sophisticated and convincing ploys are surfacing." 

That view is supported by the Anti-Phishing Working Group (APWG), a consortium of businesses and law enforcement officials. In its most recent report, the APWG said that there were 9,019 new, unique phishing campaigns reported over the course of December 2004, representing a 6 percent increase over November's total. Since July 2004, when there were only 2,625 reported attacks, the volume of new schemes has grown by approximately 38 percent.

The APWG also found that the number of individual companies targeted by the schemes is growing. There were 55 brands specifically mentioned in phishing campaigns in December -- up from 51 companies in November, and 44 in October 2004.

As both the FSTC and the recently formed Anti-Fraud Alliance have observed, phishing poses problems for the financial services industry not only because it costs its victims money and time, but also because it causes consumers to become suspicious of legitimate online interactions. Although indirect phishing-related costs are difficult to quantify, they far outweigh the direct costs to financial institutions. Shaky consumer confidence in the Internet as a channel for communications and commerce increases costs by driving customers to more expensive channels, such as telephone call centers and branch offices. Phishing can also damage an individual financial institution's reputation to the point that current and prospective customers migrate to institutions they perceive to be safer.

All is not gloom and doom, however. In the course of preparing its January report, the FSTC surveyed 60 vendors about available solutions to address the phishing problem. The survey results, according to the FSTC, "indicate a wellspring of entrepreneurial activity against phishing."

The phishing life cycle

The bulk of the solutions surveyed are designed to prevent or defend against an attack. But as the FSTC and the Anti-Fraud Alliance have noted, phishing attacks have a unique life cycle, and it is only by understanding that life cycle that better strategies will emerge for countering phishing threats. Increasingly it is understood that any technological solutions must embrace the entire spectrum of fraud defense, from consumer education all the way to law enforcement support. (Indeed, it was the recognition that solution providers must collaborate to bring better-integrated solutions to the financial services industry that led to the formation of the Anti-Fraud Alliance.)

Based on the FSTC's survey, and additional work by the FSTC's Counter Phishing project team, a number of recommendations were made, including "hardening" (i.e., securing) the consumer desktop, and improving authentication between financial institutions and customers.

Hardening the consumer desktop

As the FSTC, the Anti-Fraud Alliance, and other organizations have observed, customer education is one of the most effective ways for financial institutions to reduce the effectiveness of phishing exploits. Education affords these institutions an opportunity to reach out to customers with recommendations concerning consumer security best practices. Increasingly, this involves explicit advice on how to harden the consumer computer, including:

  • Use a current browser that supports secure and private transactions.

  • Install and regularly update virus detection software.

  • Do not allow unauthorized access to the PC.

  • Do not install pirated software or software from an unknown source.

  • Use personal firewall software.

  • Do not open email attachments from unknown sources.

  • Make sure family members or others using the computer know what to do if it becomes infected.

Beyond these steps, the Banking Industry Technology Secretariat (BITS) has these recommendations for securing online transactions:

  • Protect PINs and passwords; create PINs and passwords that do not use readily identifiable information like names, birthdates and phone numbers.

  • When applying online for any financial account, ensure that you are dealing with a reputable, federally insured institution with secured Web pages.

  • When at a financial institution Web site, check the site's URL to be sure it matches the bank's URL, and look for misspelled words or other signs that it may be "spoofed." Notify the financial institution if the site looks suspicious.

  • Learn about your financial institution's capabilities for secure online financial services. All online contact with the institution should be only through its secured Web pages.

  • Notify your financial institution of any suspicious email or telephone inquiries, such as those seeking account information or online passwords.

  • Never make online financial transactions via sites and/or institutions with which you're not familiar. Many thieves set up fake sites to steal money from unsuspecting victims.

  • Notify your financial institution immediately of any changes in your account information.

Mutual authentication

Perhaps more than any other type of online fraud, phishing highlights the challenge financial institutions and their customers face when it comes to authenticating each other. As the FSTC put it in its January report, "Better institution-to-customer authentication would prevent attackers from successfully impersonating financial institutions to steal customers' account credentials; and better customer-to-institution authentication would prevent attackers from successfully impersonating customers to financial institutions in order to perpetrate fraud."

Already, some financial institutions are experimenting with systems that require two-way and two-factor authentication. Two-way authentication involves issuing each user a secret image, which can then be presented back to the user as a means to verify that emails and Web sites are legitimate. When users come to a site, they enter their username and look for their personal image. When they see it, they know they are dealing with a real Web site -- not a fake. Then it's safe to enter their password and other sensitive information. Likewise, when their personal image is included in email, they know the email is trusted. Two-factor authentication is achieved by securely identifying the user's computer, and using the computer as a second authentication factor. Strong two-factor authentication can be achieved without requiring the site to distribute (or the customer to have) any new hardware or software. Customers benefit from the higher assurance being provided, increasing their trust and confidence leading to a greater willingness to take full advantage of the online channel.

But much work remains to be done, as is evident in the FSTC's call for a new project to investigate adoption and deployment of better mutual authentication practices across multiple channels and based on industry standards. Such practices must be customer friendly, easy to use, attack resistant, and adaptive based on risk.

Conclusion

Although phishing continues to pose a costly and formidable threat to financial institutions, positive signs can be discerned on the landscape. To begin with, financial institutions are gaining more insight every day into the problem of phishing -- and ways to respond more effectively to it. At the same time, there has been an upturn in technology development -- pilots, proofs-of-concept, tests, and demonstrations -- aimed at combating phishing. And vendors themselves are stepping up their collaborative efforts to provide comprehensive, integrated phishing solutions. In time, these efforts should go a long way toward restoring consumer confidence in online transactions.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

 

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Spam and Viruses
Preparedness
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

"9,019 new, unique phishing campaigns were reported over the course of December 2004."

--Anti-Phishing Working Group
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Risks of Wireless Email
Playtime: 8 min 23 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.

© MMVIII Sacramento Television Stations Inc. All rights reserved.