Internet banks should combat phishing attacks by using
technology to authenticate their websites to their customers,
rather than relying solely on customers authenticating themselves
to the bank.
Mikko Hypponen, chief research officer at anti-virus company
F.Secure, told the WebSec Conference in London last week that this
would be the most effective way to cut down on online banking
fraud.
"The problem is that the banks do not authenticate themselves to
the user. Customers should be allowed to challenge the bank and ask
for something only the bank should know," he said.
Phishing attacks and other online fraud cost banks £23.2m in
2005, up from £12.2m in the same period in 2004, according to
figures from the Association of Payment Clearing Services.
Two-factor authentication, a technique which uses smart tokens
or other kinds of security to generate one-time passwords, can make
phishing more difficult, but in isolation it does not solve the
problem, said Hypponen.
Banking websites will still be vulnerable to man-in-the-middle
attacks. In these, hackers create spoof banking websites to collect
the one-time passwords, before using them on the real banking site
to steal funds, he said.
Research by F.Secure revealed that hackers have registered large
numbers of websites with similar names to banks and other
organisations, with a view to launching attacks.
In the latest variant of the attack, known as pharming, hackers
are able to surreptitiously redirect users to a fake banking
website when they type in the real web address of their bank. The
fake site often downloads graphics directly from the real site.
Banks could detect pharming by monitoring their log files to
check for examples of websites downloading their graphics files,
said Hypponen.
Banks are already waging a war against phishing e-mails by
having spoof sites closed down as soon as they are discovered.
However, new forms of phishing attack are designed to circumvent
these countermeasures.
A customised Trojan discovered this month on the networks of a
Japanese bank installed fake web pages directly on the cache of the
desktop PC, making it unnecessary to host fake sites remotely,
security specialist Andy McKewen of Panda Software said.
Read article:
Limits of token gestures