What do you do if you need to prove your software is virtually hack-proof? Well, you could always hire a renowned former hacker to attempt to foil the system and mount a successful phishing attack.
That’s just what 41st Parameter did.
The company’s patented anti-fraud technology, dubbed TimeDiff Linking, is designed to protect banks against phishing scams and their resultant consumer security problems, online identity theft and fraud. But 41st Parameter CEO Ori Eisen knew banks wouldn’t simply take his word for it.
That’s why he hired Kevin Mitnick, a computer security expert who used to be on the FBI’s “Most Wanted” cybercriminal list for hacking into computers of major international corporations. Mitnick now runs Mitnick Security Consulting, a security consultancy dedicated to helping people from government and business protect vital information.
“If anybody could hack through our technology Kevin could,” Eisen said. “We wanted to be sure that our solution was as secure as possible against phishing tactics and other cyber crimes. I respect Kevin’s work.”
Phishing is an act of fraud that involves an attempt by scam artists to steal the identities of Internet users by sending out e-mails or links to Web pages mimicking popular Web sites. These phishing e-mails and Web sites commonly ask Internet users to provide sensitive personally identifiable information, such as passwords, credit card numbers or bank account information.
According to the latest report from the Anti-Phishing Working Group, there were over 1,100 phishing attacks reported in April 2004 alone. This figure represents a 180 percent increase in phishing attacks from the previous month. The financial services industry seems to be hit the hardest with 15 of the top 20 phishing targets falling into the financial services category.
Gartner research shows identity theft from phishing attacks cost U.S. banks and credit card issuers about US$929 million in the year ending May 2005. Banks and credit card companies absorbed about 90 percent of those losses. Yet Federal Trade Commission statistics on identity and credit card theft report that only about 5 percent of cybercriminals are caught today.
Dave Jevans, Chairman of the Anti-Phishing Working Group, told TechNewsWorld that phishers, worms, viruses and spam over IM is not only on the rise — it’s more mature and more complex. And it is posing a significant threat to both financial services and retail sectors.
“As hackers, identity thieves, and virus writers continue to join forces, these attacks are increasing and becoming much more sophisticated — to the point of being literally indistinguishable from legitimate e-mail, even for technically savvy recipients,” Jevans said.
Analysts said as phishers get savvier, software must also get savvier. Eisen told TechNewsWorld that the problem is most anti-phishing products put the onus on the consumer to prevent attacks by asking them to change their behaviors. But Eisen said that’s the wrong approach because hackers are constantly finding new ways to break past security barriers.
“We must use better intelligence to shut down phishing attacks quickly, with zero imposition to the end user,” Eisen said. “For hackers, it’s always a matter of time and ease of breaking in. If we make extremely difficult for them to use stolen identification information to break in, then they’ll try an easier target.”
The 41st Parameter’s TimeDiff Linking technology automatically correlates login data, computer data, and customer data to build a fingerprint of the perpetrator’s device in real time. By creating a unique fingerprint for each device that logs in, The 41st Parameter technology can pinpoint repeat offenders and build a defense against all the different behaviors exhibited by cybercriminals and phishing rings.
The 41st Parameter hired Mitnick to test the strength of its new TimeDiff Linking technology by attempting to foil the system and mount a successful phishing attack. Mitnick told TechNewsWorld that he has crossed over the to “good side” to use his knowledge of computer and security vulnerabilities to show companies their security weaknesses.
“For banks and other e-tailers, phishing is a primary concern. I’ve tested The 41st Parameter’s technology and I found that most phishers will become extremely frustrated because of the difficulty of impersonating a legitimate customer,” Mitnick said. “Given enough time, effort, and resources, any system can be broken, but the effort to break this technology is too time consuming.”
Penetrating the TimeDiff
Mitnick attempted to hack through TimeDiff Linking protection by using a method called sequel injection in hopes of discovering a mistake in the application coding that would allow him to change the logic and bypass security. It didn’t work.
“The biggest security breach I find in software is due to human nature. Humans make mistakes as they rush products to market. Sometimes companies don’t hire experienced programmers,” Mitnick said. “No one is immune to hacking, but 41st Parameter demonstrated to me that they are not sloppy coders.”
The 41st Parameter in June filed an extension to its TimeDiff Linking technology patent. The amended patent filing for “Method System for Identifying Users and Detecting Fraud By Use of the Internet” more than doubles the number of parameters correlated for TimeDiff Linking in preparation for The 41st Parameter’s line of real-time products.
Keven’s book "The Art of Deception" is a must read for the Network Administrator. I wouldn’t want to be him, but I respect his ability.