Data Protection and Security

VII

Identification and Entity Authentication

VII.V

Phishing Attacks

In a recent article, Bruce Schneier has claimed that multifactor authentication technology most banks do offer to customers nowadays is too late and too little. The argument he has made is that to fool users the attackers now find novel and more effective methods than simply guessing the password or hacking the password database. The rise in the identity theft and e-banking fraud incidents show he is right. Phishing attacks are the main cause of this increase which is the topic of this section.

Reference: Bruce Schneier: Two-factor authentication: too little, too late. Commun. ACM 48(4): 136 (2005).

Anti-phishing Working Group (APWG)’s definition of phishing is as follows:

“Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. Social-engineering schemes use 'spoofed' e-mails to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as credit card numbers, account usernames, passwords and social security numbers. Hijacking brand names of banks, e-retailers and credit card companies, phishers often convince recipients to respond. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.”

Conforming with the “weakest link in the security chain is the user himself” principle, phishing attacks pose a real threat today. Only in US, between May 2004 and May 2005, around 1.2 million users are affected and suffered losses around 1 billion US dollars because of phishing.

The best solution to safeguard against phishing attacks is user education. There are also legislation studies and technical responses currently in progress. For instance, the new version of Internet Explorer (version 7) includes a number of antiphishing technology. This includes a phishing filter which checks the visited web site against a master list of known phishing sites and a color code in the address bar, which shows visually the trustworthiness of the page.

APWG has argued that in the near future most users will be aware of common phishing attempts and pharming (misdirecting users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.) and malware (software designed to infiltrate or damage a computer system, without the owner's consent) will replace today’s methods. More information is available in http://www.antiphishing.org/

VII.V.I Q