David Brunswick, technical director for Tumbleweed Communications Europe and a member of the Anti-Phishing Working Group, discusses potential solutions in the fight against phishing

Recently confidence in the internet has come under threat with the growth in both frequency and sophistication of phishing attacks.  Banks including CitiGroup, Lloyds TSB and Barclays, ISPs and e-commerce players have fallen victim to phishing attacks that spoofed their identities in pursuit of customers' account, debit and credit card information to make unauthorised transfers and transactions and perform other identity-theft related fraud.

The most recent analysis by the Anti-Phishing Working Group (APWG) finds the problem escalating with the number of unique phishing attacks in March 2004 jumping to 402, from 176 in January.  Reducing the scale of the phishing threat is now a top priority for security professionals. 

The earliest phishing attacks were very primitive.  They blasted out fake email messages purporting to be from PayPal or CitiBank to millions upon millions of people on the basis that a few would respond.  They were laughably crude with obvious misspellings and badly formed HTML, often directing receivers to poorly drawn counterfeit web sites that gave many visual and technical clues to their spuriousness.

The most advanced recent phishing attacks are no longer so crude, better targeted, and far more visually credible.  The latest examples look identical to the real sites, and even fake part of the browser window to hide the true location of the web site.

Disturbingly industry experts predict an unholy alliance between computer viruses and phishing attacks.  Several recent virus outbreaks have opened 'back-doors' into unprotected machines allowing the extraction of data such as credit card details and passwords.  Increasing co-ordination between virus and phishing perpetrators could dramatically increase the success of phishing attacks beyond the current 0.25 per cent response rate.

The combination of security holes in the email standard SMTP – phishers are primarily spoofing the 'from' address – and social engineering are fuelling phishing attacks.  But it may be some time before a more secure version of SMTP is designed and installed across the internet, so a more incremental approach to a developing solution must be taken.

The basic building blocks of an effective anti-phishing effort include detection, prevention and education.  For a preventative technology solution to be effective, it must have certain key characteristics including limited training for the end user, use of existing industry standards and ultimately to be cost-effective for both senders, recipients, and internet infrastructure providers.

A number of proposed solutions to help verify the originating address of email messages have been proposed by leading players in the IT industry, Caller-ID and Domain Keys for email. 

Caller-ID attempts to authenticate an email by using a combination of the IP address in the TCP/IP header and a list of approved IP addresses in the DNS record of the domain claimed in the 'purported responsible address' of the email header.  However depending on how the email header is constructed, this may or may not be the 'from' domain.  Caller-ID looks like one of the more promising solutions to provide some protection against phishing, but it is still vulnerable to phishing attacks until the overwhelming majority of legitimate domains begin using it.

Domain Keys use the power of asymmetric cryptography to provide evidence that an email in fact came from the domain in the 'from' field of the email header. It provides an interesting solution that can be implemented with relatively low cost, however, like Caller-ID, the fact that not a single piece of email infrastructure supports the protocol today implies that there will be a long waiting period while internet Mail User Agents (email clients) implement Domain Keys.

Another proposed solution to mail authentication is Sender Policy Framework (SPF).  While showing some promise and enthusiasm amongst the internet community, it is of limited use in stopping phishing, as it does not validate the 'from' address in the message itself, but only checks the 'mail from' address in the message envelope.  It is therefore still possible to mislead recipients as to the source of the email by making these addresses different from each other.

Since Caller-ID, Domain Keys and SPF are competing standards, each of which requires broad adoption to succeed, it is anticipated that these solutions will not help with the phishing problem for at least 18-24 months. 

Of the several solutions to the email sender authentication problem discussed in the messaging industry today, only one meets the requirements of providing both immediate and lasting value to address phishing – S/MIME digital signatures.

Based on the secure email standard supported by most email client software in use today, S/MIME digital signatures provide the highest level of sender authentication, which can also help reduce the more general problem of spam. 

Like Domain Keys, S/MIME uses cryptography to provide sender authentication that cannot be easily spoofed.  Unlike Domain Keys, S/MIME has the power to authenticate not just the domain but the actual sender of the email as listed in the 'from' address.  Also, unlike Domain Keys and any other proposed methods for fighting phishing attacks, S/MIME has been deployed in the marketplace for several years as a general-purpose secure messaging protocol.  Apart from predominant handlers of consumer email (AOL, MSN Hotmail, Yahoo), over 350 million email clients deployed on the internet today support S/MIME.  With a more concerted effort by email ISPs to support it and the certificate authorities of the world to bring down the cost of the certificate issuance required, the adoption of S/MIME on mass can become a reality.

Perhaps the most compelling argument for utilising S/MIME to deter phishing attacks is one of urgency.  Rather than wait for one of more new protocols to be ratified by a standards body or become de facto standards over the period of several months or years, why not use something that works today and can work side by side with other emerging protocols in the future?  The cost of waiting is simply too high.

Further information on solutions to address the threat of phishing is available in a white paper which can be downloaded by visiting www.tumbleweed.com