The Internet has delivered dramatic productivity improvements. Executives now have a simple way to exchange electronic mail messages, large and small companies are able to market their products worldwide and corporations have replaced manual procedures with automated ones. Along with these advances have come some downsides: a deluge of electronic mail marketing messages, a proliferation of spam and a number of online scams.
Phishing is the Internet’s latest black mark. In this ruse, criminals design e-mail notes and Web sites that resemble those from bona fide sources, such as merchants or financial institutions. When customers respond to seemingly legitimate messages, they send their personal data, such as credit card or bank account information, to bogus Web sites.
This information provides phishers with access to individuals’ personal accounts so they can perpetrate identity fraud.
Unfortunately, phishing has become quite popular. A Gartner Group study completed in April estimated that more than 57 million Americans (representing 40 percent of all online users) received a phishing e-mail, and 76 percent said the attack had taken place in the last six months.
Crooks Ahead of Posse
The numbers have alarmed corporations, which usually field the calls that come from irate consumers once they realize that they have been scammed. Also, companies do not want customers to loose their faith in the Internet and go back to inefficient manual techniques for ordering products.
Corporations understand that stronger authentication between users and companies is needed, but at the moment, the crooks are a few steps ahead of the posse.
The problem is that current security measures were designed to ensure that users are who they are rather than that vendors are legitimate, so the criminals are exploiting the weakest link in the security chain. As a result, the user-defined passwords that many firms rely on are no longer adequate security checks.
In response, internet service providers, financial institutions and online merchants are searching for new ways to authenticate their customers and themselves. The possible solutions include third-party authentication, the use of shared secrets, vendor maintained blacklists and the development of new security standards.
Third-party authentication systems, such as public key infrastructure (PKI), represent the most mature option. Here, a third party issues a security check, often a key that consists of complimentary pieces of encrypted code, to a user and a company. The user’s key is needed to begin the transaction, and the company’s key is needed to authorize it.
As a result, a transaction can only take place when both parties have the appropriate items. Typically, vendors, such as Verisign, have developed and managed the keys. In an effort to increase the use of this security check, vendors formed ad-hoc standards groups, such as the Liberty Alliance, that would be responsible for that process.
While third-party authentication lessens the likelihood of scams like phishing, it has not been widely implemented.
“Many firms have found that managing the keys is cumbersome and expensive,” said Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF), another vendor consortium examining the issue, as well as director of marketing at security supplier PostX.
Shared secrets are another option. One can view them as improved password security. The secrets are data, often preregistered questions and answers, such as “What’s your favorite team” or “What’s your pet’s name,” that is known by the user and the company. The questions are asked when a user logs on and rotated on a regular basis so a criminal can’t decipher the pattern.
Vendors have also been working to identify phishing sites and to block users from accessing them.
“Companies that are being really hurt by phishing activity, like online merchants and financial institutions, are taking the lead in developing technology to lessen the problem,” said Pete Lindstrom, research director at Spire Security, a security consulting firm.
The companies are actively monitoring communications between their customers and various Web sites. The suppliers then develop blacklists, lists of Web sites identified as conducting phishing activities. Vendors, such as eBay, have devised special tool bars that work within their users’ browsers. If a customer tries to visit a blacklisted site, the browser will either warn the person of potential danger or block him or her from making the trip.
Blacklists must be closely guarded because if phishers discover that their sites are on a blacklist, they will simply move to another site.
New standards are starting to emerge. Two sender-authentication proposals (one from Microsoft, dubbed Caller ID, and a second from Yahoo, called Domain Keys) are vying for attention. Under these options, e-mail senders must publish the IP address of their outgoing e-mail servers as part of an XML format e-mail “policy” in the Domain Name System (DNS) record for their domain. E-mail servers and clients that receive messages can then check the DNS record and match the “from” address in the message header to the published address of the approved sending servers. E-mail messages that don’t match the source address can be discarded.
The sender-authentication approach seems to have the most promise but also represents the most difficult work: ISPs need to update their domain name directories and e-mail clients, and companies, such as Microsoft, have to add support to their browsers.
While the vendors are aggressively taking up the task of improving authentication, delivering a solution will take a few years.
“We are essentially talking about a massive undertaking, reworking the way Internet operates,” Spire Security’s Lindstrom told TechNewsWorld.
He added: “In the next six months, the criminals will have the upper hand in the battle, so I expect the number of phishing cases will continue to rise. In a year or two, vendors should have the tools in place so they can at least slow down the rate of phishing attacks, but unfortunately, it is a problem, like viruses, that users and vendors are going to have continuously battle.”