How Can We Stop Phishing and Pharming Scams?by Paul L. Kerstein
Both types of scams lead unsuspecting customers to give up valuable personal and financial information. Phishing e-mails entice users to a fake website where they enter personal data. Pharming pop-up boxes appear at reputable websites and hijack the user, who enters financial data at an illegitimate URL. U.S. companies lose more than $2 billion annually as their clients fall victim, and they’ve finally started implementing a number of countermeasures.
One countermeasure is software. In addition to spyware and adware, developers have introduced applications that can collect and store personal data while keeping it safely encrypted on the user’s hard drive. When a user enters personal information in reply to an unknown e-mail address or in a mysterious pop-up box, the software displays an alert. There are also downloadable tools for web browsers that rate websites based on Secure Sockets Layer (SSL) technology, an internet protocol for sharing sensitive information. Most software options check against an updated database of blacklisted phishing sites and IPs.
Bank of America recently implemented the use of personal digital images with a security feature called SiteKey. The user chooses an image to appear when he logs on. If the secret image does not appear, he has logged on to the wrong place. SiteKey, secret phrases, three challenge questions and the standard user names and passwords will be used for all BoA customers by this fall. A similar technology using visual cues has been developed by Green Armor Solutions. Drawing on psychology, a website uses a visual cue that’s easily remembered, such as a colored box with a word in a different colored text. The cue is generated mathematically with a one-way hash function and a secret key. Users will see the same personalized cue each time. Phony sites will not be able to produce the correct cue, so users will know something is wrong.
Another interesting approach has been suggested by Robert X. Cringely, a columnist for PBS and Infoworld. Cringely thinks we should fight fire with fire. For example, a phisher may send out a million e-mails and yield useful information from 100 replies with hardly any effort. If everyone who received phishing e-mails replied with false information, the criminal would be forced to cull through a million replies to get at the 100 with useful information. While this requires the user taking time to fill out the forms, it would increase labor exponentially for the phisher, greatly reducing the profitability of the scam.
There are sites that limit the number of failed sign on attempts in a day per single IP. Others won’t use pop-ups during registration and log-in in procedures. Some companies have eliminated the e-mail relationship entirely, warning their customers through mailings sent with monthly statements.
A nationwide survey by the Cyber Security Industry Alliance in May found nearly half of voters nationwide claimed that fears of identity theft prevented them from conducting business online. Retailers, banks and software developers are scrambling to keep up, as criminals find new ways around security systems, but what can they do? Is there a silver bullet? What do you think?
Too many online users know nothing of encryption and rely on browser conveniences, such as saving private information. User education and responsibility by Microsoft for better and faster securing of their browser are both needed preventatives to curb security breaches.
Other methods, of course, are a plus, and much easier for users to identify with (like three-way authentication, especially using images.)While technical solutions are very desirable, and should include both hardware and software, user education, self-policing, and heavy criminal penalties are important components of any solution.
The Internet community needs better tools for self-policing and directing criminal activity to policing authorities, where cybercrime can be investigated, and criminals charged and incarcerated.
Much integration remains between police forces and lawmakers both nationally and internationaly. The Internet needs to show a strong and unified face that cybercrime is serious and penalties are significant.
2002-2008 CXO Media Inc. All rights reserved.
July 19, 2005