Good piece in this month’s US Banker magazine on phishing. Some tidbits:
Phishing is getting more and more sophisticated. I’ve detailed some of those tricks in this blog, but here’s one I hadn’t heard of:
Crooks [the unfortunately named Ted Crooks, vp of identity protection solutions at Fair Isaac] says that “the level of cleverness is disturbing.” He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer’s account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people’s accounts will match those two numbers.
Another thing regular readers will know is the sometimes absurd figure attached to losses associated with phishing:
TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks.
But I guess what is worrying is that phishers will start to target those smaller institutions that don’t have the clout to do much about it:
TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.
Then there’s the need for banks to do more. Consumers don’t believe they are doing so, and I sometimes wonder whether the reason that banks give for not introducing more complicated and multi-layered log-in processes — that users don’t like it — is just an excuse. There are some interesting new approaches being tried out there:
Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer’s home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn’t require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.
Other efforts are being focused on foiling the phishers at their own point of sale:
One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. “It looks like real user names and passwords, but it’s just a hodgepodge,” [Cyota CEO Naftala] Bennett says. It compromises the phisher’s data, making it a painstaking process to sort out the legitimate accounts. “We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers,” Bennett says.
The bottom line, however, is well expressed by Gene Neyer, head of the Financial Services Technology Consortium’s counterphishing effort:
“Phishing has become a problem overnight because it has leveraged the infrastructure of spam,” says the FSTC’s Neyer. “And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place.”