Co-Operative 'coastguard' approach needed to beat 'phishing' menacePublished on 16 May 2007
South African banks, Internet service providers (ISPs) and electronic messaging service specialists need to adopt a co-operative coastguard approach to overcome the threat posed by online fraud or “phishing”.
“Co-operation and information sharing among major banks, will ensure a strong platform from which to fight this ongoing threat,” said Mike Wright, CEO of global paperless communication specialist, Striata.
“All of the parties involved have to present a united front to educate customers if we are to effectively combat ongoing efforts by criminals to defraud people by conning them into revealing their online banking details on copycat websites.”
One of most positive outcomes of the recent Anti-Phishing Summit hosted by Striata is a mailing list for the sharing of information on phishing attempts and methodology, successful or otherwise. The summit was an opportunity for the major banks, ISPs and security vendors to promote co-operation in developing and implementing initiatives to combat phishing.
“Co-operation, good communication and the effective distribution of information is the bottom line. It is a fact that online fraudsters have South Africa in their sights, studying how we conduct our transactions, looking for weaknesses to exploit and for structures that may enable their scheme to work,” added Wright.
“Banks generally have similarly high levels and methods of security. Co-operation will assist the entire online banking industry to overcome phishing much faster and more effectively. Currently speed is a critical element as once a false website has been detected, it needs to be shut down by the ISPs as quickly as possible.”
Wright contends the new focus should be on preventing false emails from arriving in the intended victims’ mailboxes. There are a number of preventive measures, starting with digital signatures, but banks will have to educate their customers to recognise these and provide recallable elements that assist the customer and the ISP to distinguish phishing emails from genuine emails.
“Banks will be working with digital certificates, SPF (sender policy framework) and DKIM (domain key identified mail) which are all complementary technologies that raise the overall preventative security barrier. However, because digital certificates require an action from the customer, who has to click on the icon to view the ‘trust’, we suggest a visual identification device that enables the customer to easily see that the mail is for him and genuinely comes from the bank.”
The visual ID device could be the last four numbers of the individual’s cellphone, his daughter’s middle name or his breed of dog – something that a phisher, who relies on sending out millions of emails at random, wouldn’t have a chance of knowing.
“These measures would put a clamp on the scale of phishing,” said Wright. “It would force them to be much more specific and focused. No longer could they go for a 0.01% success rate on a million emails. So in conventional ‘fishing’ parlance, we would stop the guys with the nets and long lines and make them fish with rod and reel. Catching one at a time is a lot more difficult and in phishing terms requires very precise information, takes a lot more effort and is more costly. The chances of being caught are greatly increased too.”
Wright also maintained that bank customers have to be alert and take responsibility for their online security, which in turn requires banks to educate and communicate with customers as well as provide ways for each individual to be able to recognise emails that are not genuine.
Anyone receiving an email that they suspect is not genuine or is definitely a phishing attempt should report them or forward them to firstname.lastname@example.org where they can be examined and distributed to the appropriate parties.
“I have no doubt that proper use of sender verification techniques coupled with customer/user education and collaboration with ISPs will very significantly reduce opportunities for phishing. The Internet industry and commercial users of email technology need to co-operate fully to ensure that a concerted, co-ordinated anti-phishing drive gathers and sustains momentum in order to dramatically curtail the number of phishing emails reaching customers and consumers.”