No simple solution to phishing problem: experts

A number of industry experts are suggesting a mixture of education and technology will be necessary in order to combat the growing number of phishing incidents.

Phishing, a form of online identity fraud, combines spam e-mail messages and Web pages that look like legitimate e-commerce sites in order to steal user names, passwords, bank account and credit card numbers.

Late last month credit card and payments company MasterCard International Inc. said it was partnering with NameProtect Inc., an online brand protection service, to combat online identity theft and a black market in stolen credit card numbers.

MasterCard will have access to data from NameProtect’s Internet detection technology and systems, which monitor and filter a variety of online information sources to identify new fraud campaigns.

The companies will also work with law enforcement to shut down Internet sites and tools used by identity thieves, the companies said in a joint statement.

Mississauga-based Brandimensions Inc. offers a similar online fraud detection service. Its chief operating officer Bradley Silver described it as a “honey pot solution” where the company puts hundreds of thousands of e-mail addresses out on the Internet to purposely act as a spam magnet.

“We attract as much spam as we can possibly get…and we have algorithms that analyze the message’s content, read the domain name, and check the links” to determine if they are phishing-related, Silver said. A project manager then looks at the message to confirm the findings and “conducts a number of different activities as defined by the client to minimize the amount of damage that can be afflicted at the time of the attack.”

Kraig Lane, Norton Internet Security’s Santa Monica, Calif.-based group product manager, said Norton’s products include spam-filtering technologies that help eliminate some phishing messages from the get-go. The software also makes warnings pop up if a customer is filling out confidential information on an insecure Web site or sending it through an instant message.

Tristan Goguen, president of Toronto-based Internet service provider Internet Light and Power, said his firm is planning to add anti-phishing capabilities to its challenge-response antispam software, iPermitMail, which sends one automated message back to the sender, asking for identity verification. The next step will be to include a way to “validate the message against the correct or known e-mail system that it should be coming from. If it’s not coming from a system that it should be coming from, it can be flagged as potential fraud.”

Goguen admitted that this technique will not protect users from phishing messages being sent from hijacked e-mail servers, but that’s where the importance of creating multiple layers of security comes in. “By themselves they won’t necessarily stop a break-in but collectively they will deter people from causing trouble.”

However, no matter how many safety mechanisms might be built into security software, users could still fall for a clever phishing scams if they are tired and stressed out, Goguen said, adding that he advocates dealing with the root of the problem by moving away entirely from anonymity on the Internet.

“The industry as a whole must ensure that senders are in fact who they are. Only collectively can we apply the technology to make that happen.”

Robert Garigue, chief information security officer for the Bank of Montreal in Toronto, said he expects to see more technological responses to phishing coming down the pipe, “things like smart cards and the use of one-time passwords.”

But the best protection, he said, is awareness about how to recognize fraudulent e-mails. Banks must do their part by sending out literature to their customers warning them about fraud, but ultimately it is the customer who needs to be vigilant.