Shooting phish

Since December 2003 there have been almost 1,500 unique incidents of phishing - fraudulent extraction of financial details - on the internet. And each day sees several new attempts.

Along with many other forms of internet crime at the moment, an alarming number can be traced to Eastern European and Russian origins. Fortunately the UK has not been hit as hard as the US to date, and while banks are reluctant to divulge losses of any kind caused by computer crime, a survey commissioned in the US put the losses at £275m.

Attackers generally will not single out a particular target, instead they will "bulk-mail" or spam thousands of addresses with a fake

e-mail, bearing every resemblance to an official, bank-originated communication. Many of the recipients will not even bank with that organisation, but for the ones who do, they may just be fooled into following the instructions in the e-mail. The actual message in the e-mail varies but essentially it asks the user to log in to their online bank service and confirm or reconfirm some information.

Phishing was initially an attack focusing on online banking websites, but more recently other commercial sites which require login are being targeted, including eBay. Clearly the ability to log in as someone else and bid on goods for sale by auction has a value to some unscrupulous users.

This is not a fad; it will continue to evolve, target new groups and become more sophisticated. At the moment, most banks with an online facility issue a notice on their website warning users of bogus e-mails of this nature.

One way to limit phishing which is being tested at the moment and strongly considered is the use of a bank-issued digital certificate. Already being used for some bank-to-bank transactions, this would certainly counter the basic form of phishing by ensuring that the site is verified to the client browser and that the login process required something other than a username and password.

There are obstacles associated with using digital certificates and corresponding private key, namely that the credentials are commonly stored on a local hard drive, in the browser, and so are vulnerable to local misuse. This mechanism would prove costly and difficult to maintain for the banks.

Clearly cost per user is an issue for banks offering online services. The use of a token, smartcard or some form of two-factor

authentication would generally involve hardware and software being supplied to the user. Maintenance and support then also become an issue. Many banks offer this type of highly-secure access to online details right now, but generally only for high-value accounts and wealthy individuals or businesses.

Other technology, such as mobile telephones, could easily be used to offer a secondary or "out of band" communication between the banks and their registered users to ensure that the user is aware when an e-mail communication is from a trusted source or not.

Like other internet threats, phishing has gone through at least one phase of evolution. We are now starting to see non-financial websites being targeted. It is hard to determine how integral it is to modern-day identity theft at this stage; the only indication we have right now is in terms of lost funds from bank accounts.

As this relatively new attack preys on the unaware, and technology fixes are too costly or complex to implement, it seems to me that the only answer is to raise awareness, in a way that has not been done before in terms of computer security issues - something

like a communiqué from government to the population or a massive TV advertising campaign warning of the dangers of phishing which could be funded by a group of UK banks.

Ultimately, the "do nothing" option cannot be followed for much longer. Phishing and ID theft online are eroding the already tenuous faith that consumers have in conducting financial transactions on the web. With online payment systems set to rise and government services to increase over the next two years, now is the time to make the internet a safer place.

Phil Cracknell is chief technology officer at Netsurity

What is phishing?

Phishing is a form of identity theft. Conventional ID theft has been around for many years, taking the form of bogus applications for bank accounts, credit cards and other sources of finance by using fake or stolen documents as proof of identity.

Microsoft, eBay, Amazon.com and Visa are some of the big names among its founding members of an organisation called Coalition on Online Identity Theft. The group is dedicated to combating identity theft, of which phishing is a growing component.

Seven million US adults were victims of identity theft in the 12 months ending June 2003, according to analyst firm Gartner.

How you can minimise the risk from phishing

• Issue a warning about these fraudulent e-mails on your website, even consider a mailshot to all your customers to tell them of the problem
• It would also be encouraging to see more banks issue an old-fashioned pamphlet with guidance inside and make it available in branches
• Contact relevant working parties and groups such as the banks’ Association for Payment Clearing Services and the Anti-Phishing Working Group.

www.banksafeonline.org.uk/

www.apacs.org.uk/staysafeonline/

www.antiphishing.org/

What to tell end-users

• Don’t follow links from e-mails, go to the website in the normal way by typing the URL into a new browser window
• Never disclose your login details to anyone, electronically, over the phone or in person. The bank does not need these details to process your query
• Check your statement regularly
• Scan for viruses, trojans and spyware software that may record your keystrokes - and make sure your software is kept updated.

This article is part of Computer Weekly's Special Report on network security produced in association with Microsoft
www.microsoft.com/uk/security