In Depth

Foiling Phishing

Companies on the front lines of the phishing wars share tactics for protecting customers and employees alike.

By Dragoon Alice

Page 7

MasterCard recently announced a partnership with NameProtect, a fraud detection and alert service. If NameProtect detects suspicious activity, MasterCard alerts law enforcement and the banks that issue its cards. The service also keeps tabs on black-market websites where fraudsters often try to sell stolen account information (known as phish). If anyone tries to sell MasterCard accounts, NameProtect notifies MasterCard, which in turn tells the issuing banks so that they can protect themselves and their cardholders from having card accounts compromised. Although MasterCard has such a well-developed list of contacts in the ISP community that it can usually shut down a phisher site within a day or two, in some cases, it allows phisher sites to stay up long enough to capture the evidence needed to prosecute the phishers. "We get all the information being lured into the site so we can provide it to the financial institutions so they can block the [affected] accounts," says Sergio Pin, senior vice president of security and risk services at MasterCard.

Existing fraud detection systems can be fine-tuned to pick up on a phishing fraud, by making them more sensitive to address changes, new account applications and out-of-character transactions. PayPal's fraud and spoof detection systems run around the clock. If a PayPal member who typically makes an eBay purchase of around $40 every few months suddenly appears to be making a $4,000 purchase, PayPal can pick up on that unusual activity within an hour. "We might call and say, 'Did you make this purchase? Are you really buying a plasma TV?' If not, it's very easy for us to contact the merchant and say, 'Don't ship the item, it's not authorized by the buyer,' " says Miller. PayPal would then set in motion a process that includes giving the PayPal member a new account number and having her choose a new password. It would also kick off an investigation to collect information on the incident to pass along to law enforcement agents.

Such vigilance is slowly starting to pay off in court. In February, Alec Scott Papierniak, a Minnesota scammer who phished PayPal members, pleaded guilty to wire fraud in federal court. In May, Zachary Keith Hill of Houston was sentenced to almost four years in prison for defrauding consumers of personal financial information in phishing schemes that spoofed AOL and PayPal.6 Make yourself a difficult target.

If phishing has a silver lining, it's this: Phishing may be the thing that pushes companies toward two-factor authentication or other strong forms of identifying who's who on the network. Miller, who declined to divulge any details about the impact of the June 25 phishing attack, says PayPal is looking at a host of stronger authentication options, such as giving users tokens from RSA Security, which would create a new password every 60 seconds. PayPal is also considering biometric techniques such as collecting a voiceprint from customers. Several European banks are already experimenting with stronger authentication methods for online banking and payment authorization. Scandinavia's Nordea gives customers a scratch-off card (similar to a lottery ticket) that contains one-time-use passwords that customers use along with their chosen password. Barclays is piloting handheld smart-card readers for its MasterCard customers. When a cardholder wants to make a purchase online, he puts his card (which contains a smart chip) into the portable card reader and punches his PIN into the reader's keypad. The device then displays a secure, one-time code that the customer enters into a pop-up box on the retailer's website. Salmond of APACS says that the device costs less than $10.