Home > Talk Back > How Can We Stop Phishing and Pharming Scams?
CSO Talk Back

How Can We Stop Phishing and Pharming Scams?
by Paul L. Kerstein


Access a single interface for solving your common security problems.

The logical answer to keeping your network and systems secure is to prevent unhealthy or unauthorized users on the network in the first place. This requires a layered security solution, including network access control with LANDesk Trusted Access technology.


Customer Perspectives: IT Security as a Business Enabler

View this on-demand roundtable and you’ll gain insight from the security officers of The McGraw-Hill Companies, Citizen’s Financial Group and Intuit, Inc.


Removing the Barriers of Traditional FTP to Facilitate Secure File Transfers

Today, more and more criminals are turning their attention to file transfers that carry consumer identifying data. Many organizations move this information with file transfer protocol (FTP), and these servers are proving to be easy targets for thieves. Encryption may seem like an easy fix, but there is no easy answer to this complicated problem.

According to Gartner, between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million. The Computing Technology Industry Association has reported that pharming occurrences are up for the third straight year.

Both types of scams lead unsuspecting customers to give up valuable personal and financial information. Phishing e-mails entice users to a fake website where they enter personal data. Pharming pop-up boxes appear at reputable websites and hijack the user, who enters financial data at an illegitimate URL. U.S. companies lose more than $2 billion annually as their clients fall victim, and they’ve finally started implementing a number of countermeasures.

One countermeasure is software. In addition to spyware and adware, developers have introduced applications that can collect and store personal data while keeping it safely encrypted on the user’s hard drive. When a user enters personal information in reply to an unknown e-mail address or in a mysterious pop-up box, the software displays an alert. There are also downloadable tools for web browsers that rate websites based on Secure Sockets Layer (SSL) technology, an internet protocol for sharing sensitive information. Most software options check against an updated database of blacklisted phishing sites and IPs.

Bank of America recently implemented the use of personal digital images with a security feature called SiteKey. The user chooses an image to appear when he logs on. If the secret image does not appear, he has logged on to the wrong place. SiteKey, secret phrases, three challenge questions and the standard user names and passwords will be used for all BoA customers by this fall. A similar technology using visual cues has been developed by Green Armor Solutions. Drawing on psychology, a website uses a visual cue that’s easily remembered, such as a colored box with a word in a different colored text. The cue is generated mathematically with a one-way hash function and a secret key. Users will see the same personalized cue each time. Phony sites will not be able to produce the correct cue, so users will know something is wrong.

Another interesting approach has been suggested by Robert X. Cringely, a columnist for PBS and Infoworld. Cringely thinks we should fight fire with fire. For example, a phisher may send out a million e-mails and yield useful information from 100 replies with hardly any effort. If everyone who received phishing e-mails replied with false information, the criminal would be forced to cull through a million replies to get at the 100 with useful information. While this requires the user taking time to fill out the forms, it would increase labor exponentially for the phisher, greatly reducing the profitability of the scam.

There are sites that limit the number of failed sign on attempts in a day per single IP. Others won’t use pop-ups during registration and log-in in procedures. Some companies have eliminated the e-mail relationship entirely, warning their customers through mailings sent with monthly statements.

A nationwide survey by the Cyber Security Industry Alliance in May found nearly half of voters nationwide claimed that fears of identity theft prevented them from conducting business online. Retailers, banks and software developers are scrambling to keep up, as criminals find new ways around security systems, but what can they do? Is there a silver bullet? What do you think?

Talk Back is a weekly interactive column about current privacy and security issues. Feedback is welcome.

Most Recent Responses:

Too many online users know nothing of encryption and rely on browser conveniences, such as saving private information. User education and responsibility by Microsoft for better and faster securing of their browser are both needed preventatives to curb security breaches.

Laurie Rigney
Technical Support Analyst

To address Doug's point of view, bi-directional technology already exists: SSL. If the user always knows that they must only enter their password in https addresses and not http, and all web-sites that require authentication implement this, a large number of attacks will reduce. The reason is that on https (SSL), the server must pass their identity in a certificate that browser verifies is valid and trustable, only then it allows communication. Otherwise it warns the user. This is not fool-proof, but can address > 90% of the problems, probably even more.

Other methods, of course, are a plus, and much easier for users to identify with (like three-way authentication, especially using images.)

Muhammad Omer Iqbal
Security Lead

While technical solutions are very desirable, and should include both hardware and software, user education, self-policing, and heavy criminal penalties are important components of any solution.

The Internet community needs better tools for self-policing and directing criminal activity to policing authorities, where cybercrime can be investigated, and criminals charged and incarcerated.

Much integration remains between police forces and lawmakers both nationally and internationaly. The Internet needs to show a strong and unified face that cybercrime is serious and penalties are significant.

Barry Monette
eMas eManagement Solutions

We are considering using a LCD token but instead of the traditional method whereby the client types in the numbers on the LCD, we'll actually give them the numbers and ask them to verify it. This authenticates our server to them and if the code is not right then they know they are on the wrong server.

Roger Harr
Service Bureau Director
Worlwide Interactive Services, Inc.

yes I would. In fact I am looking for one as we speak to help me. I was sent a really devastating email from someone I don't know and would like to find the person who sent it immediately. I don't want someone who is going too rip me off (like I have much) I just want someone to identify the person and as many details as possible as this email is really hurtful.


Index of all responses to this column to date.

Previous Talk Back Columns

Add a Comment:

Your comment will be displayed at the bottom of this page, at the discretion of CSOonline.

* Name:

* Title:

* Corp:

* E-mail:

* Subject:

* Your Comment:

* Required fields.

We do not post comments promoting products or services.
Comments are owned by whomever posted them. CSO is not responsible for what they say.
Selected comments may be published in CSO magazine.
We will neither sell nor display your personal information.