Home » Data Protection » Malware/Cybercrime

Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

Like dilution, this practice is aggressive at best, and possibly illegal at worst. "You're still connecting to someone's systems you don't own, and potentially you could be liable for something," says Ryan Crum, a manager in PricewaterhouseCoopers' Security Practice. After talking it over with the legal department, Bank XYZ decided that knowing exactly who was giving up their account information was worth the risk.

Other times, data was more easily obtained. Sometimes cooperative ISPs turn over forensic information about illegal activity on their servers. The bank has been able to learn about where a phishing e-mail was sent or, even better, what information was gathered.

But all this is rare. Instead, the fraud team focuses on how and where losses are occurring. Early phishers were mostly after ATM numbers and PINs, because that was all the information a criminal needed to create a fake ATM cardâ¬called white plasticâ¬and use it to withdraw funds. These fund withdrawals were coming off the bank's bottom line, so this led to some painful decisions.

"Maybe [Jones] is baby-sitting a phish, and we're having a problem getting it closed down," Miller posits. "Not only that, but the call centers were reporting a volume yesterday of 100 today it's 200, and it's climbing. And at the same time the debit card department is reporting that the number of white plastic losses are increasing in volume."

Miller's voice is calm as she paints this increasingly alarming scenario. She continues: "Now we have a situation where we really need to find additional ways to mitigate risk. Maybe all these actions are taking place in Bulgaria. So we might say, maybe we can shut down the ATMs in Bulgaria." The tough question, of course, is whether the possibility of stopping those losses is worth the risk of stranding customers traveling in Bulgaria.

Here is one happy part of the story. Eventually, the bank was able to cut the phishing-related white card losses down to zero, without disrupting ATM service at all. How? By changing the authentication process. Every ATM card has data encoded on its magnetic strip that the customer can't see but that most ATM machines can read. The company worked with its network provider to use that hidden information to authenticate ATM transactionsâ¬an important step that, according to Gartner, only about half of U.S. banks have taken.

"Since the number isn't printed on the back of the card, customers can't accidentally disclose it," CISO Williams explains. The information was already in the cards, so Bank XYZ didn't have to go through an expensive process of reissuing cards. "It was a very economical solution, and it's been very effective."