A new consortium called the Trusted Electronic Communications Forum (TECF) has brought together top companies in the financial and technology industries to tackle phishing and spoofing attacks aimed at stealing personal information.
Phishing and spoofing are a kind of bait-and-switch often used for identity theft. Gartner vice president and research director Avivah Litan told E-Commerce Times that the problem has steadily grown worse within the last year. “It’s probably even more widespread then we know,” she said. “It’s going to have a terrible effect on consumer confidence in online shopping.”
To find a way to reduce the problem, TECF has drawn 17 member companies and may recruit more in the future. So far, its membership list features well-known firms like IBM, Best Buy, Charles Schwab, E*Trade, CipherTrust and Siebel Systems.
The TECF will not be the only organization working to bring phishers to justice. The Anti-Phishing Working Group was formed last November and currently boasts more than 400 members representing 250 companies. It is made up of companies in the financial, online retail, law enforcement and software industries, as well as ISPs.
The Working Group maintains an archive of suspected phishing attacks and estimates the size and cost of the phishing problem.
TECF chairman Shawn Eldridge told the E-Commerce Times that his group is not in competition with its better-known kin. Rather, he foresees cooperation between the two organizations.
He noted that although both groups have a similar mission, the way they plan to reach it is different. “We’re not working on quantifying or qualifying the epidemic,” Eldridge said. “What makes us unique is that we’re a smaller organization that’s focused on working with technology leaders around the globe.”
Hammering Out the Details
In the next few months, the TECF plans to define the goals of four main working groups: social engineering, best practices, government affairs and standards.
Eldridge noted that the groups have only just started to define their aims and will be crafting action plans in the months ahead.
“Each working group will have its own set of objectives,” he said. “There’s no silver bullet that can stop phishing, but we think that with active and efficient efforts, there’s a way to dramatically reduce phishing attempts.”
In the short term, the consortium will create guidelines for anti-phishing best practices for companies. The group will also develop a system that allows consumers and businesses to report phishing attacks.
For the future, the TECF is focused on ratifying technology standards, and assisting in the prosecution of phishers. “We are putting together a unified voice to cope with the problem,” said Eldridge. “We really think there should be a way to not just report attacks, but to be able to prosecute those who are launching them.”
Long Road Ahead
The TECF has much work ahead of it in order to tackle the phishing and spoofing problem. It seems that already the threats are multiplying at an alarming rate.
“The industry has woken up to the problem,” said Dave Jevans, chairman of the Anti-Phishing Working Group.
He told the E-Commerce Times that the government is more than aware of the threat as well. Because there may be a terrorist link to funds obtained from phishing, and it is suspected that worldwide organized crime may be involved, both the Secret Service and FBI are both involved in tracking phishers.
Also, Jevans was asked to speak at a Senate Special Committee on Aging hearing regarding how Internet fraud affects seniors.
“Unfortunately, at this point, there’s a battle going on in e-mail authentication standards,” Jevans said. “That’s been delaying some tools. But there’s more focus on the problem, and that’s important.”
Litan added that groups like Jevans’ and the TECF are a good start for raising awareness and considering ways to fight the attacks. She noted that more companies will probably want to become members of such groups as the attacks continue.
“Banks and other financial institutions are starting to get spoofed, and it’s realistic to think that they’re going to do everything they can to minimize the problem,” Litan said.
One of the companies that joined the TECF, CipherTrust, is confident that the all-for-one approach will be more effective in addressing the threat than having security companies looking at the problem individually.
Jeff Lake, CipherTrust’s vice president of field operations, told E-Commerce Times that his company joined the TECF group because it felt that it was important for bolstering e-mail security efforts.
“It’s not just the consumer that’s affected by phishing,” he said. “It’s the whole cycle of technology. We need to provide a universal deployment of security, and this is part of that.”
He noted that CipherTrust would be involved in the social engineering working group, although the company will be active in supporting governmental affairs as well.
Whether TECF can minimize the threat will be seen in coming months, as its working groups hammer out the details of their action plans. One thing is certain, though, according to Eldridge: the need for such a group is crucial.
“To fight the problem, there needs to be a global effort, and a focused one,” he said. “Hopefully, that’s what we’ll be providing.”