Computer Crime Research Center


A Phish Story

Date: March 30, 2005
Source: US Banker
By: Michael Sisk

... recent report. "Financial institutions and government should consider a number of steps to reduce on-line fraud, including upgrading existing password-based single-factor customer authentication systems to two-factor authentication; using scanning software to proactively identify and defend against phishing attacks. The further development and use of fraud- detection software to identify account hijacking, similar to existing software that detects credit card fraud, could also help to reduce account hijacking; strengthening educational programs to help consumers avoid on-line scams, such as phishing, that can lead to account hijacking and other forms of identity theft and take appropriate action to limit their liability; and placing a continuing emphasis on information sharing among the financial services industry, government, and technology providers."

Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer's home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn't require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.

Peter Tapling, CEO of Authentify, says "the challenge of all on-line transactions is that the endpoint is a computer. We enable the endpoint to be a human. We tie the human being to the Internet transactions and anchor the transaction in the real world. A good phisher can get information, but not if one of the requirements of getting that information is physically sitting in the person's home and answering the phone." Tapling says Authentify's technology, which is also being used by Bank of America to deliver digital certificates for commercial customers, is most often used during high-value transactions, such as first-time interactions and account-control changes.

Leonard Rowe, corporate svp and director of e-business at Associated Bank, says that "customers wanted instant gratification" when it came to getting PINs, which resulted in many time-consuming, expensive calls to the call center. "Voice biometrics was the only legitimate ID technology with a legitimate business case," he says. Specifically, the infrastructure was in place, it is easy to use, and customer acceptance is high. A retinal scanner, by comparison, fails on all these points, he says. Retinal scanners would have to be installed at all customers' homes and at the bank, and then the customers would have to put their eyes in the laser. "If you ask customers, 'which do you prefer, put your eye in a laser, or talk on the phone?' Guess what they're going to say."

Authentify's product is but one example in the wave of technology being released to combat phishing. "There's a ton of great stuff out there," says TowerGroup's Tubin. "The path of phishing attack is being combated at every stage."

Gene Neyer, head of the Financial Services Technology Consortium's counterphishing effort, says "phishers are nimble, but the people defending the channels are nimble as well. The situation is not dire, but we cannot afford to relax at all."

To that end, Corillian's Fraud Detection System can detect when phishers are building a fake Web site and preparing for an attack. By reading Web logs, "we can see phishers coming to a site and see indicators of phishers building a site before e-mails are launched," Maloney says. The technology processes 3,000 Web log lines per second. A typical Web log generates one million to five million lines per day, with each line composed of 21 fields.

Meanwhile, Falcon ID's capabilities include the real-time sharing of critical information between companies in the same industry and across different industries to detect when an identity is compromised. The technology evaluates transactions throughout the customer lifecycle, and detects identity fraud at any point when an identity is susceptible to compromise-such as account activation and management.

When a phishing attack is launched, often the most pressing need for the impersonated bank is to take down the site. A year ago this would have taken several days, but the industry has quickly moved to close this window. Cyota's FraudAction is an anti-phishing service that includes real-time alerts, detailed severity assessment, site shutdown services, forensics and proprietary countermeasures. It is used by five top U.S. and British banks, including Barclay's Bank of Britain. Bennett, Cyota's CEO, says the company has lowered the lifespan of a typical phishing site to five hours, compared to an industry average of 6.4 days.

One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. "It looks like real user names and passwords, but it's just a hodgepodge," Bennett says. It compromises the phisher's data, making it a painstaking process to sort out the legitimate accounts. "We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers," Bennett says.

Industry watchers say phishers will continue to increase their sophistication. Of particular concern are new Trojan horses that infect consumer computers and steal data and passwords by observing keystrokes without the consumer knowing their security has been compromised. Also, as larger banks become more adept at staving off attacks, phishers are likely to move downstream and attack regional and mid-sized banks that haven't been as vigilant in counterphishing measures. Bennett notes one mid-sized bank that was attacked 10 times in August and 283 times in October. One of his top-10 bank clients, by comparison, was attacked 107 times in October. "Phishing has become a problem overnight because it has leveraged the infrastructure of spam," says the FSTC's Neyer. "And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place."
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo