Death to Phishing

What happens after a phishing attack? Here's one midsize bank's phishing incident response plan.

1 2 Page 2
Page 2 of 2

When the possibility of a phishing attack was theoretical, it didn't seem that this part of the response would be very complicated. "It's easy for management, who is more removed from the clientele base, to say, &lsquoIf this occurs, we're going to do ABC. For every client that we know [was affected], we're going to shut down all those accounts, and we're going to replace them,'" Miller says. "But then the reality hits."

That first attack opened the floodgates. Over the next months, Bank XYZ was hit again and again, up to dozens of times a day. Sometimes the attacks were copycat phishes, launched after a tool kit, complete with templates, was released into the phishing community. (This sharing practice gains the original phisher credibility among his cohorts, while also throwing law enforcement off his track.) But other times the phishing attacks were unique. Bank employees came to realize that they were facing a maddening series of "what if" scenarios.

If the customer gave up only her ATM card and PIN, was it safe for the bank just to reissue an ATM card? If a customer gave up his banking log-on information, did all his account numbers need to change? If a customer gave up her Social Security number at a phishing site with Bank XYZ's logo, how proactive should the bank be about counseling the customer on identity theft? And how, by the way, could the call center realistically provide coverage during the deluge of calls caused by a phishing attack?

"For every phone call that you take, there's a reaction that has to occur," Miller points out. "Accounts don't just close themselves. That's a time-consuming process." It's also an expensive one: The TowerGroup estimates that replacing a single ATM card costs about $7.50.

It took months to work out the resulting procedures. For instance, the bank eventually decided to have the call center handle initial account changes, but to have someone from the fraud department follow up with customers within 24 hours, for further counseling and investigation. Another policy: When online banking information was divulged, before changing all the customer's account information, the bank would look at recent account activity and try to determine what information had been accessed.

Of course, all of this begged a larger question: Who wasn't calling? Which customers hadn't realized they'd been duped? Answers,

occasionally, came in an unexpected gift. Sometimes, either the vendor or members of the fraud department were able to exploit a vulnerability in a phishing website that allowed them to actually see which customers had entered account information, put a hold on those accounts, and contact the customer to get the account information changed.

Like dilution, this practice is aggressive at best, and possibly illegal at worst. "You're still connecting to someone's systems you don't own, and potentially you could be liable for something," says Ryan Crum, a manager in PricewaterhouseCoopers' Security Practice. After talking it over with the legal department, Bank XYZ decided that knowing exactly who was giving up their account information was worth the risk.

Other times, data was more easily obtained. Sometimes cooperative ISPs turn over forensic information about illegal activity on their servers. The bank has been able to learn about where a phishing e-mail was sent or, even better, what information was gathered.

But all this is rare. Instead, the fraud team focuses on how and where losses are occurring. Early phishers were mostly after ATM numbers and PINs, because that was all the information a criminal needed to create a fake ATM cardcalled white plasticand use it to withdraw funds. These fund withdrawals were coming off the bank's bottom line, so this led to some painful decisions.

"Maybe [Jones] is baby-sitting a phish, and we're having a problem getting it closed down," Miller posits. "Not only that, but the call centers were reporting a volume yesterday of 100 today it's 200, and it's climbing. And at the same time the debit card department is reporting that the number of white plastic losses are increasing in volume."

Miller's voice is calm as she paints this increasingly alarming scenario. She continues: "Now we have a situation where we really need to find additional ways to mitigate risk. Maybe all these actions are taking place in Bulgaria. So we might say, maybe we can shut down the ATMs in Bulgaria." The tough question, of course, is whether the possibility of stopping those losses is worth the risk of stranding customers traveling in Bulgaria.

Here is one happy part of the story. Eventually, the bank was able to cut the phishing-related white card losses down to zero, without disrupting ATM service at all. How? By changing the authentication process. Every ATM card has data encoded on its magnetic strip that the customer can't see but that most ATM machines can read. The company worked with its network provider to use that hidden information to authenticate ATM transactionsan important step that, according to Gartner, only about half of U.S. banks have taken.

"Since the number isn't printed on the back of the card, customers can't accidentally disclose it," CISO Williams explains. The information was already in the cards, so Bank XYZ didn't have to go through an expensive process of reissuing cards. "It was a very economical solution, and it's been very effective."


By whatever means, the phishing site eventually comes down. Then all that's left is the reporting.

Brandimensions burns a compact disc with information about the phish, including screen shots, and gives it to Bank XYZ. The bank then passes the information on to the FBI, which looks for patterns or anomalies in the attacks. (Through Miller, the FBI agent assigned to Bank XYZ declined to comment for this story.)

Technically, national banks are also supposed to report incidents involving spoofed websites to the Treasury Department's Office of the Comptroller of the Currency, in the form of a suspicious activity report, or SAR. Miller won't publicly comment on SARs at all, even anonymously. She'll only say that the bank reports phishing attacks to appropriate regulatory agencies.

Within the bank, Miller reports to business lines about monthly fraud losses. Meanwhile, a cross-departmental team helps educate customer-facing employees and works with public affairs on customer education. It's a many-fronted battle in a war that's far from won.

Now that the ATMs have been hardened, phishers are going after online banking log-ons instead, and using the account access to do fraudulent fund transfers. There are also mounting concerns that if customers stop giving up information voluntarily, the phishers will start taking it instead, with technical approaches such as pharming. Fraudsters are an opportunistic lot. Banks are just trying to stay no more than a few steps behind.

But for now, at least, when a new attack targets Bank XYZ, the CISO is surprised for entirely different reasons than on that first chaotic day. "Today I came in and had a voice mail that we had a phish," says Williams, 367 days after that first ugly scene. "I was like, Oh, we haven't had one of those in a while." There's not much he has to do about it, either. There are no tense conference calls where people are asking for basic definitions. Everyone knows his or her job.

"We have confidence in the incident response process," Williams says. "We defined how it should go, and it started working. And once you have a way to manage it, it no longer requires the CISO's involvement." The death of a phish doesn't need to be extraordinary. It's just in a day's work.


Copyright © 2005 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)