Phishing is now an accepted fact of life for many Internet users.Most of the emails that they receive are clearly from friends orbusiness contacts, or clearly fraudulent. But there are a few, just afew, that might just be genuine, and there will always be a smallpercentage of users who will follow the link sent them in the email,and connect to what they think is their bank, and give the phisherstheir reward.
The problem for banks and other financial institutionsis that the percentage of users does not need to be very high for itto be worthwhile for the phishers to continue in their activities.
It might be hoped that customers could be educated not to trustthese emails, but the phishers are getting more sophisticated, andthe emails more convincing. There's evidence to suggest, forinstance, that phishers are targeting recent successful eBay bidders– within minutes of the close of an auction – in anattempt to convince them that before they complete the sale, theymust change their account details. Needless to say, the link in theemail is not to eBay – or not straight to eBay – but toanother site entirely. This time-sensitive attack is a new one –and requires quite a high level of organisation and planning on thepart of the phishers: it's not about sending out a few tens ofthousands of spam messages, but about selecting a likely target andtuning the attack accordingly. It's like an evolutionary warbetween predators and prey: the sophistication of the attackincreases as the sophistication of the customer does. The problem isthat the attacker doesn't need to target the mostsophisticated, but the least.
We can expect the war between the phishers and those phished –financial institutions' customers – to continue unabated,and although education is an important weapon to be wielded, it isnot going to resolve the conflict. Quite apart from any otherconsiderations, the return on investment from continued educationcampaigns will reduce as those who can be educated are, and those whocan't just pay less and less attention.
Another technique that should be part of the armoury is the normalSSL/TLS protocol that secures the link between the customer'sweb browser and the bank. Rather, it is supposed to secure this link,but although a customer can "click" on the padlockto check the security of the link, few do, and even then, theinformation provided is such that it is almost impossible for even asecurity professional to be able to divine whether the connection isto the right website, or is secure. There are a variety of tools toimprove the quality of the information about websites, and these, tooare valuable weapons in the armoury of the customer.
But it is the banks and other financial organisations that need totake control and to protect their flock of customers from theravaging packs of phishers. Although individual customers may takesteps to protect themselves, and can be aided and guided by banks todo so, it is through a system-led improvement that the battles tobeat the phishers can be won, and the progress of the war tipped inthe bank's favour. The great weakness of the systems currentlyin place is that they rely on a piece of information that isunchanging, and which, once discovered, can be used again and again:the user's password. This may be long, it may be short, thebank may try to reduce the re-use of parts of it by requesting onlycertain digits – but if it is compromised, then the attackershave access to what they want.
There are, however, weapons that the banks themselves can deploy,particularly around authentication. The most obvious of these is touse a dynamically produced one-time password (an OTP). This is usedonly once, and changes based either on time or an event such as thecustomer pressing a button. This means that passwords, once used, areuseless to attackers – harvesting them is pointless. However, adetermined and resourceful attacker might, via a man-in-the-middleattack, harvest and use OTPs in real-time, changing the details of apayment, for instance, to credit a different account, in a differentcurrency, for a different amount. To combat these types of attack,message-based authentication can help: a cryptographic message isformed – which can't be reverse-engineered – whichincludes the details of the transaction.
The message, then, is that there are a variety of differentdefences, which should be used in conjunction, based on need. And anydefence against attacks must, of course, be cost-effective. But cost,in this context, is less tangible than it might immediately seem. Theobvious calculation might be: "if we can spend less on adefence than our losses if we don't, then it'scost-effective." This, however, ignores the fact that there areother types of cost which are equally important to banks, and high onthat list are reputation and customer confidence. If customers arelost due to a perception that a bank is insecure, all of theirbusiness is gone, and new customers will be hard to come by. And ifcustomers lose confidence in Internet banking, then the old,expensive alternatives of telephone banking and branch banking willhave to be reconsidered.
On the other hand, however, the risks of these losses happeningare quantifiable, and the correct trade-off has to be toreduce risk to an acceptable level, given the currentstate-of-the-art in phishing, cost of counter-measures, and abilityof customers to resist attacks. The banks must act to ensure that thecorral around their customers is secure enough to deter all but themost determined attacker, but they must also keep ahead of the game,and be ready to react as attackers become more determined or moresophisticated, as new defences become available - and ascompetitors move in for a bit of rustling.
The author is UK Technical Manager for Cryptomathic Ltd.
Cryptomathic Ltd. are exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10thanniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th - 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk