The Grim Reality Of The Phishers

Good piece in this month’s US Banker magazine on phishing. Some tidbits:

Phishing is getting more and more sophisticated. I’ve detailed some of those tricks in this blog, but here’s one I hadn’t heard of:

Crooks [the unfortunately named Ted Crooks, vp of identity protection solutions at Fair Isaac] says that “the level of cleverness is disturbing.” He notes how in one phishing scheme, phishers sent out an e-mail that requested sensitive information and to prove to customers the request was legitimate included two numbers the phishers said were the last two digits of each customer’s account number. As Crooks points out, a random two-digit combination has a one in 100 chance of being right, so if a phisher sent such an e-mail to one million users, 10,000 people’s accounts will match those two numbers.

Another thing regular readers will know is the sometimes absurd figure attached to losses associated with phishing:

TowerGroup estimates that direct fraud losses attributable to phishing will top $137.1 million globally in 2004, a figure far below widely cited levels of $1 billion and just a fraction of the total fraud at banks.

But I guess what is worrying is that phishers will start to target those smaller institutions that don’t have the clout to do much about it:

TowerGroup predicts the number of phishing attacks will top 31,300 in 2004 and rise to more than 86,000 by 2005 as they spread to smaller institutions, new merchant/service-provider categories, and new global markets.

Then there’s the need for banks to do more. Consumers don’t believe they are doing so, and I sometimes wonder whether the reason that banks give for not introducing more complicated and multi-layered log-in processes — that users don’t like it — is just an excuse. There are some interesting new approaches being tried out there:

Acknowledging the reality of what consumers will and will not do, Associated Bank, a $20 billion bank in Green Bay, WI, has implemented a voice biometric technology from Authentify to securely pass sensitive information to customers via the Internet. By logging onto the Web site to receive a PIN, a phone call is activated to the customer’s home or office. When the customer answers the phone, the voice biometric verifies that it is the customer and not a phisher requesting the PIN. This confirmation doesn’t require the customer to do anything out of the ordinary. It requires no training, no cost and no software installation.

Other efforts are being focused on foiling the phishers at their own point of sale:

One novel phishing countermeasure utilized by Cyota is bombarding the phishing Web site with bogus customer information. “It looks like real user names and passwords, but it’s just a hodgepodge,” [Cyota CEO Naftala] Bennett says. It compromises the phisher’s data, making it a painstaking process to sort out the legitimate accounts. “We want to change the equation for them. We want to make it harder to use the data and put them at risk of selling bad data to their customers,” Bennett says.

The bottom line, however, is well expressed by Gene Neyer, head of the Financial Services Technology Consortium’s counterphishing effort:

“Phishing has become a problem overnight because it has leveraged the infrastructure of spam,” says the FSTC’s Neyer. “And like spam, the concern is that with phishing every countermeasure spurs technology to get around the countermeasure. Unfortunately, scams that rely on social engineering can never be eliminated, but practical, tactical strategies can be put in place.”

Phishing Victim Fights Back

It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:

 Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez’s computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.

Ralph Patino, Mr. Lopez’s lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.

Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez’s PC. This remains unproven.

This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying

banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. “Banks can’t reasonably expect consumers to protect themselves from cybercriminals,” said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, “50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware.”

In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.

Software: Money, Money, Money

Microsoft has just released a new version of its Money software, 2004. New features:
— An extensive Credit Center provides a free credit report and one year of ongoing credit monitoring, in addition to a summary of debt accounts, educational content, access to “what-if” scenarios and information on credit protection.
— Money 2004 Premium offers an exclusive collection of valuable financial services, a $365 value, including two years of MSN(r) Bill Pay, capital gains tax optimizer from GainsKeeper, one-time free federal online tax preparation and filing from H&R Block, one free credit report, credit alerts and one year of ongoing monitoring from Experian Consumer Direct, and a complimentary initial personal financial consultation with American Express.
— Money 2004 is the only personal finance management software to offer the GainsKeeper service, which helps consumers better monitor and minimize the tax implications of their investment decisions.
The software further ties in with the MSN Money Web site to provide convenient, timely access to relevant and current information, including world-class financial news, information, tools and services.

You can download a trial version from here. I’ve been disappointed with previous versions which seem to add features but not to address existing bugs. Sound familiar?