|
How Can We Stop Phishing and Pharming Scams?
by Paul L. Kerstein
Both types of scams lead unsuspecting customers to give up valuable personal and financial information. Phishing e-mails entice users to a fake website where they enter personal data. Pharming pop-up boxes appear at reputable websites and hijack the user, who enters financial data at an illegitimate URL. U.S. companies lose more than $2 billion annually as their clients fall victim, and they’ve finally started implementing a number of countermeasures. One countermeasure is software. In addition to spyware and adware, developers have introduced applications that can collect and store personal data while keeping it safely encrypted on the user’s hard drive. When a user enters personal information in reply to an unknown e-mail address or in a mysterious pop-up box, the software displays an alert. There are also downloadable tools for web browsers that rate websites based on Secure Sockets Layer (SSL) technology, an internet protocol for sharing sensitive information. Most software options check against an updated database of blacklisted phishing sites and IPs. Bank of America recently implemented the use of personal digital images with a security feature called SiteKey. The user chooses an image to appear when he logs on. If the secret image does not appear, he has logged on to the wrong place. SiteKey, secret phrases, three challenge questions and the standard user names and passwords will be used for all BoA customers by this fall. A similar technology using visual cues has been developed by Green Armor Solutions. Drawing on psychology, a website uses a visual cue that’s easily remembered, such as a colored box with a word in a different colored text. The cue is generated mathematically with a one-way hash function and a secret key. Users will see the same personalized cue each time. Phony sites will not be able to produce the correct cue, so users will know something is wrong. Another interesting approach has been suggested by Robert X. Cringely, a columnist for PBS and Infoworld. Cringely thinks we should fight fire with fire. For example, a phisher may send out a million e-mails and yield useful information from 100 replies with hardly any effort. If everyone who received phishing e-mails replied with false information, the criminal would be forced to cull through a million replies to get at the 100 with useful information. While this requires the user taking time to fill out the forms, it would increase labor exponentially for the phisher, greatly reducing the profitability of the scam. There are sites that limit the number of failed sign on attempts in a day per single IP. Others won’t use pop-ups during registration and log-in in procedures. Some companies have eliminated the e-mail relationship entirely, warning their customers through mailings sent with monthly statements. A nationwide survey by the Cyber Security Industry Alliance in May found nearly half of voters nationwide claimed that fears of identity theft prevented them from conducting business online. Retailers, banks and software developers are scrambling to keep up, as criminals find new ways around security systems, but what can they do? Is there a silver bullet? What do you think?
While technical solutions are very desirable, and should include both hardware and software, user education, self-policing, and heavy criminal penalties are important components of any solution. The Internet community needs better tools for self-policing and directing criminal activity to policing authorities, where cybercrime can be investigated, and criminals charged and incarcerated. Much integration remains between police forces and lawmakers both nationally and internationaly. The Internet needs to show a strong and unified face that cybercrime is serious and penalties are significant.
Barry Monette
Roger Harr
Marc Gartenberg If e-Commerce was based on a closed medium - like secure IM - the majority of these scams would be defeated before they start. You can't IM me if your not on my budy list! It's a very simple proposition to build in additional security measures like encryption and secure authentication. It's simpler still to log all the traffic too. Financial transactions and communications should be based on a "closed" system... not an open one fraught with abuse.
Joe Heinzen Index of all responses to this column to date.
|
sponsored content WebcastsWhite Papers |
Sponsored Links:2002-2006 CXO Media Inc. All rights reserved. About Us | Advertising Info | Contact Us | Feedback | Privacy Policy | CSOonline.com July 19, 2005 |