Phishing is as lucrative as it is prolific. According to the latest official figures from UK payments body, APACS, phishing scams and Trojan keystroke loggers were behind UK online bank fraud totalling £12m in 2004; while BlackSpider Technologies estimates that nearly seven million phishing emails have been sent across the UK in the last month alone.
So, how are phishers relieving us of our savings?
There are essentially three ways that phishers perpetrate their scams. The first and most common method is social engineering, duping recipients into divulging their login names and passwords. Typically, this is done by encouraging users to click on a link in a bogus email which takes them to a fraudulent website that mimics that of their own bank.
When creating a false environment, phishers will typically forge an email purporting to be from your bank, asking you to re-register or re-confirm personal details. They can redirect you to a URL that looks as though it's that of your bank; and the phisher's attention to detail can mean these fake websites are incredibly realistic.
The second method is to use Trojans to plant keyloggers on computers, allowing the capture of passwords and personal information when the user logs on to a bank's security page.
The final method is a 'Man in the Middle' attack, whereby phishers do not even need to capture logon details, but instead act as a tunnel between the user and the real bank website, communicating data between the two. When a user is logged on, so is the phisher, who can stay logged on after the real user has left the site. They can then transfer money at whim.
However, there are steps that can be taken to prevent and limit the damage of these attacks. The effect of Trojans can be curbed by using a mixture of randomised letters and numbers for customers' password login; and by using drop-down boxes for field entry, making it much more difficult for phishers to read passwords.
'Man in the Middle' attacks can be countered by limiting log-on time; and by 'Intrusion Detection', a system that monitors the IP addresses that connect to their website to identify those that connect most frequently.
The most cost-effective and reasonably secure way for banks to allow their customers to access their accounts online is to use multiple passwords. At least one of these should not be requested in full i.e. "please enter letters 2 and 5 of your password"; and they should be entered via a drop down box. Passwords comprised of both letters and numbers make it much harder for the hacker to decipher.
However, the ideal solution is 'two-factor' authentication. For example, the user has a password or pin, together with a random number generated by a token, such as a small key fob or credit card sized device, which changes approximately every 30 seconds. The random number is synchronized with the server you are logging into. Both passwords are required for authentication, meaning if you lose the key fob, it can't be used without your pin and vice versa.
They foil key-loggers because although the phisher can steal your password, he/she will only have the random number generated the last time you logged on, not the most recently updated number. And if key fobs prove too costly, a cheaper alternative would be to issue the random number via another medium, such as SMS, each time the user logs on.
There is no single solution to phishing. Filtering techniques and legislation go some way to limiting the damage, but educating PC users and online customers is the most effective safeguard against phishing attacks.
The author is CEO of BlackSpider Technologies.
