Phishing: Don’t get hooked!
By Mukesh Gupta, Managing Director, E92plus Limited
Wednesday, 12 October 2005 12:52 EST
The summer of 2003 witnessed the birth of a new type of Internet-related fraud scheme. The fraudsters themselves have nicknamed the scheme “Phishing”. And rightly so: they fish for the naïve end user’s static PIN code, bank account information or credit card number and expiration date.
Once they have obtained that crucial secret information, they fish your bank account dry or they go shopping at your expense, using your credit card information. The right technology, such as strong user authentication, and user education can dramatically reduce their catch.
When a fraudster goes phishing, he typically uses the following scheme. To catch a victim's static Pin codes or credit card information, he creates a web site identical to that of the financial institution where the end user has a bank account. A bug in Internet Explorer is used to display the address of the ‘real’ web site, masking the fact that the end user is in a trap.
Luring users into the trap couldn't be simpler- The phisher sends a mail broadcast from a fake server address to a multitude of e-mail addresses. After the unsuspecting victim enters his secret information on the ‘fake’ web site, the gathered data can be processed in batch by the criminal whenever he feels like it. There is no time pressure at all. A batch process is extremely manageable, as the fraudster does not have to wait for username/password pairs to arrive. His victim will wake up one morning to find an unpleasant surprise, an empty bank account.
Solutions to prevent phishing schemes are twofold.
1. Education
The first part of the solution is all about creating awareness about the existence of phishing schemes. This is a task for governments, financial institutions, specialised organisations, media and security companies all over the world. Many are already doing so, nevertheless, MailFrontier found that 40% of people who read a fraudulent Citibank e-mail earlier this year thought it was real. We can only imagine what would happen if phishing would emerge in non-informed countries and regions. This clearly proves that informing the market is only a part of the solution.
2. Strong User Authentication
Static passwords are just not suited to an open channel such as the Internet. The solution is the use of time-based password generators, commonly known as strong authentication tokens.
Strong authentication tokens create one-time passwords, changing constantly.
There are 4 different modes in which Digipass strong authentication tokens can be used.
1. Time based one-time passwords
2. Time based Challenge/Response
3. Time based Signature Function
4. Host/website authentication
The two first modes will make sure that phishing becomes a far more difficult, and as such a dramatically less profitable activity for fraudsters.
The ‘basic’ application, time based one-time passwords, puts the fraudster under extreme time pressure, making it impossible to work in batch.
Time based Challenge/response adds another security layer. The phisher has to wait for an end user to send a username and he needs to interact in the communication between the user and the financial institution passing the challenge and getting the response.
Time-based signature function and host/website authentication make phishing virtually impossible. Even if a fraudster gets hold of a digital signature for a transaction, he can’t re-use it. The transaction data cannot be altered, and a new digital signature is required. No catch during this phishing trip…
Host/website authentication allows the end-user to check the authenticity of the website he is visiting, by authenticating his bank. Again, the phisherman’s net will be empty.
For credit- and debit card transaction there is a solution too. Visa, Mastercard end Europay have launched EMV. This new smart card protocol will be the worldwide credit card standard and will replace the current generation of magnet stripe credit cards. The EMV card’s chip allows financial institutions to add strong user authentication functionalities. That way, users wanting to use their credit cards to perform online transaction, will no longer have to give away their credit card number + expiration date on the Internet. The combination of an EMV card and a strong authentication token with card reading possibilities will suffice to securely do e-commerce transactions. The first EMV projects with strong authentication tokens are happening right now, by renowned financial organizations such as Barclaycard.
Phishers take advantage of the lack of information about their schemes and the use of static secure information on the Internet. Although 100% security does not exist, we can securely state that the combination of an informed public and the use of strong authentication tokens is a simple and cost effective answer to phishing schemes.
Both E92plus and VASCO Data Security are exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk
|
|
|
Latest News
New Year, New Threats?
10.01.07 According to GFI, a leading provider of network security, content security and messaging software, every IT manager should make it part of their New Year’s Resolution to protect their networks from the following threats in 2007.
US defences hacking attacks on the rise
10.01.07 A recent report outlining the threat to US defence security reveals that hacking attempts have gone up by 43 per cent.
HD-DVD anti-copy encryption cracked
28.12.06 A programmer going on by the name muslix64 has posted a Java-based application that will free the encrypted video from its protection.
New zero-day vulnerability affects Vista
22.12.06 A new vulnerability exists in the way Windows handles certain hard error messages that may be locally exploited for the purpose of local privilege escalation.
Hacking the Xbox security system
22.12.06 In late 2001, Microsoft released the Xbox – their first gaming console – to compete against Sony and Nintendo.
Microsoft unlikely to lead anti-virus sector
22.12.06 Natalya Kaspersky, CEO of Internet security firm Kaspersky, says that Microsoft is unlikely to be the leader of the anti-virus sector, despite the security enhancements of Vista and its own anti-virus product.
Security flaws threaten Christmas shoppers
21.12.06 There has recently been a considerable increase in online transactions due to Christmas shopping.
|
|
