How Can We Stop Phishing and Pharming Scams?

According to Gartner, between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million. The Computing Technology Industry Association has reported that pharming occurrences are up for the third straight year.

Both types of scams lead unsuspecting customers to give up valuable personal and financial information. Phishing e-mails entice users to a fake website where they enter personal data. Pharming pop-up boxes appear at reputable websites and hijack the user, who enters financial data at an illegitimate URL. U.S. companies lose more than $2 billion annually as their clients fall victim, and theyve finally started implementing a number of countermeasures.

One countermeasure is software. In addition to spyware and adware, developers have introduced applications that can collect and store personal data while keeping it safely encrypted on the users hard drive. When a user enters personal information in reply to an unknown e-mail address or in a mysterious pop-up box, the software displays an alert. There are also downloadable tools for web browsers that rate websites based on Secure Sockets Layer (SSL) technology, an internet protocol for sharing sensitive information. Most software options check against an updated database of blacklisted phishing sites and IPs.

Bank of America recently implemented the use of personal digital images with a security feature called SiteKey. The user chooses an image to appear when he logs on. If the secret image does not appear, he has logged on to the wrong place. SiteKey, secret phrases, three challenge questions and the standard user names and passwords will be used for all BoA customers by this fall. A similar technology using visual cues has been developed by Green Armor Solutions. Drawing on psychology, a website uses a visual cue thats easily remembered, such as a colored box with a word in a different colored text. The cue is generated mathematically with a one-way hash function and a secret key. Users will see the same personalized cue each time. Phony sites will not be able to produce the correct cue, so users will know something is wrong.

Another interesting approach has been suggested by Robert X. Cringely, a columnist for PBS and Infoworld. Cringely thinks we should fight fire with fire. For example, a phisher may send out a million e-mails and yield useful information from 100 replies with hardly any effort. If everyone who received phishing e-mails replied with false information, the criminal would be forced to cull through a million replies to get at the 100 with useful information. While this requires the user taking time to fill out the forms, it would increase labor exponentially for the phisher, greatly reducing the profitability of the scam.

There are sites that limit the number of failed sign on attempts in a day per single IP. Others wont use pop-ups during registration and log-in in procedures. Some companies have eliminated the e-mail relationship entirely, warning their customers through mailings sent with monthly statements.

A nationwide survey by the Cyber Security Industry Alliance in May found nearly half of voters nationwide claimed that fears of identity theft prevented them from conducting business online. Retailers, banks and software developers are scrambling to keep up, as criminals find new ways around security systems, but what can they do? Is there a silver bullet? What do you think?

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)