Tag Archives: online fraud

InspectorBrown Responds

Here’s what Rick Brown said of his Inspector Brown anti-phishing toolbar in response to my questions about its failure to catch the cross scripting phish mentioned here:

Our software works to protect our community of users and allow each user the ability to fight back against spam, phishers and online fraud.

Yes, its true, not all smart people will care to report bad links or websites, but a percentage of users will gladly do so.

The idea is simple, when a member of our community gets an email from a known spammer or phisher, they report it, either by sending an email to reports@inspectorbrown.com or clicking on the “Report a Site” button from the Inspector Brown toolbar. Immediately, once the site is reported, our software goes to work analyzing the site for clues. How long has the site been active/registered online? Is it IP based, does it show certain patterns that make it stand out?

The toolbar was also designed as a marketing tool. Financial institutions and any large corporation wanting to protect and promote their image can benefit from a branded toolbar that shares a common database with other businesses. If certain smart employees or users report to our system every user using our software gets the same protection. The toolbar was designed to allow additions such as links to certain departments within a company, information tickers for stocks or weather, the options are endless.

Our software differs from spam blockers as they are what we call “band aid” approaches. Spam is still sent to the users and may end up in spam folders, however some emails such as your message to me, was sent inadvertently to my spam folder even though it was legitimate email. All this traffic affects the ISPs and corporations and users who rely so heavily on email.

What if you went to the grocery store and bought 100 dollars worth of food, brought it home only to find out that $70 of the food was bad? You would be pretty upset. However, ISPs constantly send all of us unwanted e-mail that makes up the majority of traffic sent via our Internet connections.

Our software intends to weed out the bad traffic. If users can’t access the websites of spammers and phishers, they can’t purchase their goods or fall victim to their crime. The criminals will have to resort to other methods. The more users who become part of our community increases the chance of a percentage of users who will be vigilantes and want to fight back, stopping the bad guys from invading our lives. The more users who join our community increases the speed at which the sits are reported. Each user is given a score to determine the trust level we have with each user. This prevents the bad guys from using our software to “punish” their competition.

There is no perfect method to stop spam and phishing scams, but our software adds one more layer of protection in a unique way.

Thanks, Rick.

Banks, Phishing And A Dereliction Of Responsibility

Online commerce suffers from one major flaw: It’s online. That means we need to use computers (or computer-like devices, such as cellphones). It means we need to use the Internet. Together this is a lethal cocktail. And for online banking, it just may mean it is fatal.

Online banking, for example, is not like using an ATM. Or a credit card. Or a cheque. Or even cash. All these types of transaction are vulnerable to fraud but they are relatively easy to protect yourself against. If you lend your credit card, cheque book or ATM card to strangers then you are probably not taking the right precautions. For banks, deciding whether you as a customer have taken ‘reasonable precautions’ is quite an easy calculation to make, and they will make it in assessing whether or not they will compensate you for losses.

But what about phishing? Online fraud is — and will become — a lot more complex than offline fraud. Firstly, most folk don’t really know what’s going on in their computer, so how can they take reasonable precautions? I bet, for example, that if you ask most people to identify the icons in their system tray they won’t be able to get all of them. Secondly, if you use broadband, you are connected to the Internet most of the time. It’s a bit like hanging out overnight on a street corner in a bad part of town: You can’t reasonably assume that you won’t attract the attention of some bad guy at some point.

These are calculations of risk the individual should make when he or she conducts any kind of transaction online. But they are hard. We can look around for suspicious type when we stand at an ATM machine, or hand over a credit card to a store clerk, but online we have no really easy way to measure our security and safety. Online banking is not the same as undertaking other transactions.

Which is why I think banks are wrong if they try to pretend it is. The BBC quotes Britain’s payments association, the Association for Payment Clearing Services (APACS) as saying that in a few years’ time “compensation could be denied if people had safety information but ignored it”. Apacs director of corporate communications Sandra Quinn is quoted thus: “What we have always said is that we won’t forever provide a guarantee. A good parallel might be with something like card fraud – if you act reasonably, you are covered.” The bottom line: where a customer had “not acted with care and been negligent”, the BBC quotes her as saying, banks in three or four years’ time could begin refusing refunds.

I’m sorry, but I think this is daft and the wrong way around. Banks were very, very slow to get off the mark over phishing. If I was a customer and had been phished I would have sued the pants off my bank for not warning me about it. Banks have a duty to monitor their website, their name, in fact the whole Internet, to protect their customers. For example, one company I spoke to gave me a list of website names registered that appeared designed to impersonate legitimate banks — Citibank was a favourite, with hundreds of names that could be mistaken for a legit Citibank site. Most banks, he told me, weren’t interested in subscribing to this service. Why? Because they didn’t feel monitoring these names — and the accompanying websites — was worth their time or their money. If I was a customer I would be livid: If a scammer set up a fake bank in the high street to defraud customers, you would hope the bank in question would be on top of it within seconds, warning customers everywhere to watch out and doing its damndest to close the operation down. The Internet is now the high street and banks need to start patrolling it, not ignoring it.

Sadly, I think banks still don’t get it. They think phishing is a static problem that will recede as more people know about it. But that’s not it at all. Phishing is the thin end of a new wedge that will lead to increasingly sophisticated efforts to use technology and social engineering to part consumers with their data and money. The banks’ role is not to put a few silly little warning notices on their website and set up silly little websites nobody visits (like this one) but to throw serious resources at protecting their customers: by building secure sign-on systems, by monitoring the bad guys, by offering well-staffed and accessible customer support hotlines. Anything less is a dereliction of responsibility.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

The Death Of Email?

Could spam and viruses kill off email?

Folk seem to think so, if a world-wide survey by Message Labs, the email security people, is anything to go by (no URL available yet, sorry). They found that 6 out of 10 companies would give up email if the threat posed by viruses, spam and other malware is not contained and a viable alternative emerges.

It seems that people’s concerns are not identical: More than 20 per cent of respondents indicated that online fraud such as phishing and identity theft will be the greatest threat. Viruses achieved a similar rating (21 per cent). Some 18 per cent rated the leakage of confidential or sensitive information as the main issue, while 15 per cent thought the biggest threat would be the potential for industrial espionage.

On one thing, however, folk do agree: More than 40 per cent predict that levels of junk email will more than double over the next 10 years, and a further 24 per cent expect it to rise by more than 50 per cent. Only four per cent think it will be non-existent.

My tuppennies’ worth: Email will get better. It has to, or else spam really will bury us. I think folk should start agreeing on a new system of authentification and a serious way of making it too expensive for people to send bulk email, both financially and legally.