The summer of 2003 witnessed the birth of a new type of Internet-related fraud scheme. The fraudsters themselves have nicknamed the scheme “Phishing”. And rightly so: they fish for the naпve end user’s static PIN code, bank account information or credit card number and expiration date.
Once they have obtained that crucial secret information, they fish your bank account dry or they go shopping at your expense, using your credit card information. The right technology, such as strong user authentication, and user education can dramatically reduce their catch.
When a fraudster goes phishing, he typically uses the following scheme. To catch a victim´s static Pin codes or credit card information, he creates a web site identical to that of the financial institution where the end user has a bank account. A bug in Internet Explorer is used to display the address of the ‘real’ web site, masking the fact that the end user is in a trap.
Luring users into the trap couldn´t be simpler- The phisher sends a mail broadcast from a fake server address to a multitude of e-mail addresses. After the unsuspecting victim enters his secret information on the ‘fake’ web site, the gathered data can be processed in batch by the criminal whenever he feels like it. There is no time pressure at all. A batch process is extremely manageable, as the fraudster does not have to wait for username/password pairs to arrive. His victim will wake up one morning to find an unpleasant surprise, an empty bank account.
Solutions to prevent phishing schemes are twofold.
The first part of the solution is all about creating awareness about the existence of phishing schemes. This is a task for governments, financial institutions, specialised organisations, media and security companies all over the world. Many are already doing so, nevertheless, MailFrontier found that 40% of people who read a fraudulent Citibank e-mail earlier this year thought it was real. We can only imagine what would happen if phishing would emerge in non-informed countries and regions. This clearly proves that informing the market is only a part of the solution.
2. Strong User Authentication
Static passwords are just not suited to an open channel such as the Internet. The solution is the use of time-based password generators, commonly known as strong authentication tokens.
Strong authentication tokens create one-time passwords, changing constantly.
There are 4 different modes in which Digipass strong authentication tokens can be used.
1. Time based one-time passwords
2. Time based Challenge/Response
3. Time based Signature Function
4. Host/website authentication
The two first modes will make sure that phishing becomes a far more difficult, and as such a dramatically less profitable activity for fraudsters.
The ‘basic’ application, time based one-time passwords, puts the fraudster under extreme time pressure, making it impossible to work in batch.
Time based Challenge/response adds another security layer. The phisher has to wait for an end user to send a username and he needs to interact in the communication between the user and the financial institution passing the challenge and getting the response.
Time-based signature function and host/website authentication make phishing virtually impossible. Even if a fraudster gets hold of a digital signature for a transaction, he can’t re-use it. The transaction data cannot be altered, and a new digital signature is required. No catch during this phishing trip…
Host/website authentication allows the end-user to check the authenticity of the website he is visiting, by authenticating his bank. Again, the phisherman’s net will be empty.
For credit- and debit card transaction there is a solution too. Visa, Mastercard end Europay have launched EMV. This new smart card protocol will be the worldwide credit card standard and will replace the current generation of magnet stripe credit cards. The EMV card’s chip allows financial institutions to add strong user authentication functionalities. That way, users wanting to use their credit cards to perform online transaction, will no longer have to give away their credit card number + expiration date on the Internet. The combination of an EMV card and a strong authentication token with card reading possibilities will suffice to securely do e-commerce transactions. The first EMV projects with strong authentication tokens are happening right now, by renowned financial organizations such as Barclaycard.
Phishers take advantage of the lack of information about their schemes and the use of static secure information on the Internet. Although 100% security does not exist, we can securely state that the combination of an informed public and the use of strong authentication tokens is a simple and cost effective answer to phishing schemes.
Both E92plus and VASCO Data Security are exhibiting at Infosecurity Europe 2006 which is Europe´s number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk