Notorious criminal John Dillinger, when asked why he robbed banks, is supposed to have replied, “That’s where the money is.” Financial institutions, e-commerce sites and anyone who does any kind of monetary transaction on the Web are the primary targets of phishing scams, since it is within these institutions that customers have money.
Phishing is an online scam designed to entice and/or fool people into give up personal information that can then be used to access bank or other online accounts. Visa Canada and the RCMP estimate that 200,000 Canadians have been targeted by phishing scams and that last year some 13,000 Canadians were the victims of identity theft, at a cost of $21.5 million. According to a national study published in September by the Ponemon Institute and sponsored by NACHA, an electronic payments association and TRUSTe, an online privacy organization, 76 per cent of American consumers reported being victims of a spoofing or phishing attempt and that an estimated $US500 million was lost to such scams.
A major problem with information security is an over reliance upon passwords as a means of protecting personal information. Passwords, while convenient, are often too easily compromised unless a stringent set of policies defines how these should be used. Microsoft’s Bill Gates recently said companies must consider deploying such things as biometrics or smart card technology in order to improve security.
Several companies offer biometric products that can use fingerprints to authenticate a person’s identity: Rancho Santa Margarita, Calif.-based Security First Corp. offers several biometric keyboard, laptop and mouse optical fingerprint readers and silex technology america Inc., a U.S. subsidiary of silex technology Inc., entered into a new reseller agreement under which Fujitsu Microelectronics America Inc. will market silex’s fingerprint authentication products in North America.
Fremont, Calif.-based ActivCard Corp. showcased the ActivCard Token solution at the Cartes Trade show in Paris, a one-time password token solution for retail banking customers, aimed at combating phishing. The ActivCard Token comes on a key chain and generates a one-time passwords for secure, remote access to banking information. Microsoft is currently promoting its Sender ID solution as a way to add more comprehensive security for online transactions and to protect personal information. Sender ID verifies that every e-mail message originates from the Internet domain from which the e-mail claims to be from by checking the address of the server sending the e-mail against a registered list of servers from which the owner of the e-mail is allowed to send. If these don’t match, then the e-mail is not delivered. Phishing scams attempt to make e-mails appear as though they are sent from legitimate companies, when in fact these phishing e-mails originate from servers that have nothing to do with the company from which the e-mails claim to be.
The Financial Services Technology Consortium (FSTC), a group that builds alliances between financial institutions and technology vendors, has embarked on a counter-phishing initiative that will make technology solutions available that are designed to combat phishing. The goal is to publish a report that provides a taxonomy of phishing attacks and constructs a framework of tested solutions that companies can deploy.
Chuck Wade, project leader of the study, and an independent consultant with the Interisle Consulting Group in Boston, Mass., said no single technology or solution set can effectively combat phishing. He likens the situation to treating AIDS, where the virus is treated not with a single drug, but with a combination of drugs and many other treatments.
Right now, companies must deal with two kinds of phishing attacks: those involving e-mail and those that use some kind of virus or malware.
E-mail phishing scams are the most common right now. These range from the classic Nigerian e-mail scam — which tells people they can cash in on a supposed African fortune if they are willing to send money or open bank accounts to help unlock the frozen monies — to those that appear to be legitimate e-mails originating from banks or credit card companies threatening to close a person’s banking or credit account unless banking and other personal information is immediately provided.
Peter Cassidy, secretary general of the Anti-Phishing Working Group in Cambridge, Mass., an organization focused on monitoring and eliminating phishing and identity theft, said appromately 99 per cent of most phishing scams are of the classic e-mail type.
Banks and credit card companies today rely on customer education to help people identify these kinds of scams. Customers are told that bank or credit card companies would never send out an e-mail demanding personal information. But education doesn’t always work.