Fixing Phishing

By Jeanette James

(Back to article)

Phishing, the latest online scam for tricking consumers into disclosing information about their bank accounts, credit cards, Social Security numbers and the like, isn't just a concern for Web surfers. It's a major (and expensive) headache for corporations as well.

According to a May report from research firm Gartner, 57 million U.S. adults think they have received a phishing e-mail.

"In my opinion, those numbers are probably understated since many people do not know they are getting attacked and do not realize they have given sensitive information away, said Avivah Litan, vice president and research director at Gartner.

According to Gartner, the more than 1.4 million users who have suffered from identity theft fraud in the past year have cost banks and card issuers $1.2 billion in direct losses.

Here's how it works: phishers send an email or pop-up message that claims to be from a business the consumer normally deals with, generally an Internet service provider (ISP), bank or even a government agency. The message asks the consumer to update or validate account information, threatening serious consequence if the message isn't answered. Consumers are directed to a fraudulent Web site that looks like the real thing where they hand over personal information that phishers then use to access credit cards, bank accounts and commit other types of fraud.

In addition a company's direct monetary losses due to phishing, these new scams may also undermine the very future of online retailing.

"It also hurts other online providers like eBay, PayPal and AOL because consumers may be wary of engaging in email communications with them as a result of the phishing attack phenomena," said Litan.

Potential Solutions

Rather than waiting for consumers to find ways to protect themselves, CIOs at financial institutions and online retailers are using new strategies to protect their sites and their customers.

Litan believes a caller ID-like system would be most effective. But it would require changing all the domain name directories to incorporate the name of the site that should be displayed in the user's browser, in addition to the IP address. Such a scheme would also mean changing directories, the browser and e-mail clients so that they can read the records.

"Obviously, this is a long-term solution because it requires so many infrastructure changes. It also has privacy implications," said Litan.

In the meantime, there are browser-based tools that offer real-time detection and/or black-listing of known spoof sites. Another solution sits outside the browser but the browser accesses it in something Litan calls "shared secret authentication," which refers to icon such as a graphic (say, a relative's photo) or highly personalized information that only the consumer and their provider know about.

Already, several vendors have stepped up to the plate, offering new corporate-level, anti-fishing solutions. In May, for example, Boise-based MarkMonitor launched Fraud Protection to help financial institutions guard against phishing attacks. In June, MasterCard International announced that it is working with NameProtect of Madison, Wis., to combat all online forms of identity theft.

And in August, WholeSecurity announced Web Caller ID for detecting phishing sites without having to refer to a blacklist (that can often be outdated). By looking for long and convoluted URLs, sites only recently registered with the Domain Name System (DNS) Internet directory service, and sites with little page depth, Web Caller ID is able to detect phishing sites, said Scott Olson, WholeSecurity's senior vice president of Marketing.

eBay is one of the WholeSecurity's first customers. And, when eBay customers download the Web Caller ID browser toolbar, they can actually use Web Caller ID's phish-detection on any other site that supports the new product.

eBay's Chief Information Security officer, Howard Schmidt, said that by integrating Web Caller-ID into the browser, online companies can automatically protect customers from unknown spoof sites without the need for frequent blacklist updates.