Use PKI to beat phishers

Digital certificates could ward against internet scams.

Digital certificates could ward against internet scams.

Internet scammers are increasingly casting around for financial information by "phishing" - using spam to deceive consumers into disclosing credit card numbers, bank account details and other sensitive information.

The e-mails purport to be from businesses with which the potential victims deal and advise recipients that they need to validate their billing information to keep their accounts active. Directed to a counterfeit website, they are hoodwinked into thinking they are responding to a bona fide request. Scammers then use this data to order goods and services or obtain credit illegally.

For bona fide e-commerce sites, this fraudulent activity increases concerns among customers, existing and potential. Paypal and eBay, both recently targeted by phishers, now warn customers to be on the lookout, advising that the only time they would request confirmation of account details is when customers log on.

Users can safeguard against phishing by checking that the internet service provider they are dealing with is the genuine article and by inspecting the accuracy of the web address.

Users should also be on the lookout for a public key infrastructure certificate on a website. This verifies the identity of the certificated company. PKIs are made up of two parts - a public key and a private key. They are encrypted keys with between 256 and 2,048 bit codes, so theoretically, nobody can hack into them.

PKI is not widely used at present, but it would not require much effort for it to become so. Indeed, Outlook already has the capability to deal with PKI certificates.

The fraudulent use of credit and debit cards to buy items via web or phone has soared by more than a third over the past two years, making a convincing argument to make more use of PKI.

Those individuals who remain unconvinced might be advised to conduct transactions through an online broker, where they have a secure site with all appropriate verification and back-up.

As a safeguard, users should check to see if alternative payment methods are acceptable prior to submitting credit card details online. Most reputable online companies will offer a range of alternative payment methods to credit or debit cards, such as a postal address for a cheque.

To avoid getting hooked by a phishing scam, users would be well advised to exercise caution and pay close attention to detail before submitting credit card details. Failure to conduct due diligence could prove to be an expensive mistake.

Colin Selfridge is senior IT manager at chartered accountants French Duncan

Read more on IT risk management