Co-Operation, Paradigm Shift Thinking Will Overcome The "Phishing" MenacePublished on 04 Mar 2007
[JOHANNESBURG, 4 April 2007] – South African Banks and their customers are now firmly in the sights of online fraudsters conducting a number of “phishing” scams and are seemingly powerless to prevent it.
However, a local specialist in the secure delivery and payment of bills, statements, invoices and other confidential documents via email, maintains that with co-operation and some innovative thinking phishing attacks can be reduced by as much as 98.5%.
“We need a new approach, because at this point it looks like the Phishers are winning,” says Mike Wright, CEO of Striata, an international electronic messaging specialist.
“Current defence strategies are based on“post-event” efforts to close down websites as soon as they are found.However this means that clients are still at risk. We need to tackle the problem from the other end as well. What is also required is a process to prevent the emails from ever arriving. Key to this approach is digitally signing all outbound email, using sender verification and working with Internet Service Providers (ISPs) to identify and delete email before it hits their clients.”
Netcraft, a UK-based international Internet Security services provider offers statistics that show there were more than 609000 confirmed phishing URLs in 2006, an enormous 15-fold jump from just 41 000 in 2005. But there is an alarming sting in this tail — almost half the total came in a single month, December. A staggering 277 000 unique URLs were detected in December 2006 alone, with 457 000 cumulatively in the last three months of the year.
Wright says Netcraft’s explanation for the sudden surge is the emergence of phishing-creation kits known collectively as”Rockfish” (or “R11”), which automate the rapid creation of scam websites. These allow sophisticated domain management, including webs of sub-domains, as part of the battle to overwhelm anti-phishing systems with vast numbers of short-lived sites that are impossible to keep tabs on or block.
If the Netcraft statistics are anything to go by,this trend is likely to continue its acceleration in 2007, meaning that anti-phishing engineers are now facing the prospect of having to block swarms of anti-phishing sites in real time to make any impression on the phenomenon. This means that blocking phishing websites once detected is almost impossible due to the high number.
However, Wright says proper use of and adherence to the principle of “sender verification” coupled with customer/user education and collaboration with ISPs will very significantly reduce opportunities for phishing. The Internet industry and commercial users of email technology need to co-operate fully to ensure that a concerted, co-ordinated anti-phishing drive gathers and sustains momentum.
“A sender verification strategy aims to increase the level of trust in legitimate email from verified senders and there area number of ways of doing it. Where we can raise the bar against phishing is to implement combinations of sender verification techniques that will dramatically curtail the number of phishing emails reaching customers and consumers.”
The techniques that can be incorporated in such a strategy include digital signatures such as S/MIME and DKIM(Domain Keys identified mail) and Striata’s own anti-phishing device.
Another process that focuses on combating forgery of the “from address” is SPF (sender policy framework), which requires domain owners to publish their mail server settings as an SPF record in their DNS (domain name servers). This allows email recipient email servers to check whether the email is coming from a server authorised to send email for that specific domain. Still others are PCP (personal challenge phrase and/or image) and Web Track back, which verifies email content.
“Ignoring the phishing problem will not make it go away,” says Wright. “Proven and readily available solutions already exist. What we need to do is to agree as an industry to adopt and adhere to the principle of combined techniques. If each of those techniques results in a 50% reduction of successful phishing attacks then a success rate of 98.5% is achievable.”
Selecting the right technology solutions is the first step in the fight against phishing. The next logical step is to involve the ISPs. Wright says that if a bank implements a combination of technologies, getting the ISPs on board by giving them the mandate to summarily delete emails claiming to originate from the bank’s domain without a sender verification, adds far more power to the strategy.
Customers also need to share accountability for successful phishing attacks and this requires improved communication with and education of clients. Striata is introducing a 6-point phishing education programme that Wright says will inform and educate even the “most computer-illiterate banking client”.
In some parts of the world, banks have vetoed email as a valid client communication tool but Wright says this is illogical in an age where email is the most prolific form of business communication.
“Email has surpassed fax and post and is now relied upon for critical communication thanks to its ease of use, speed and low cost. It is used for everything from financial instructions,transmission of contracts and legal documents and information sharing of confidential documentation such as patent applications and business plans.”
Banning email makes no sense to the consumer. Every other service provider is communicating with them via email, and so consumers expect banks to do so too and eagerly open, read and follow instructions, because they expect email from their bank. This is the fundamental platform from which phishing is launched.
“Paradigm shift thinking is that banks should not stop sending email but should send more of it in a structured, defined and identifiable manner,” says Wright. “More frequent communication by email educates consumers on how to identify a phishing email and significantly reduces its chances of success.
“By stopping email as a communication tool, the banks actually leave clients totally defenseless in identifying a phishing email. They have nothing with which to make comparisons and they’re not being educated.”