Johannesburg, 04 Apr 2007
South African banks and their customers are now firmly in the sights of online fraudsters conducting a number of "phishing" scams and are seemingly powerless to prevent it.
However, a local specialist in the secure delivery and payment of bills, statements, invoices and other confidential documents via e-mail, maintains that with co-operation and some innovative thinking, phishing attacks can be reduced by as much as 98.5%.
"We need a new approach, because at this point it looks like the phishers are winning," says Mike Wright, CEO of Striata, an international electronic messaging specialist.
"Current defence strategies are based on `post-event` efforts to close down phishing Web sites as soon as they are found. However, this means that clients are still at risk. We need to tackle the problem from the other end as well. What is also required is a process to prevent the e-mails from ever arriving. Key to this approach is digitally signing all outbound e-mail, using sender verification and working with Internet service providers (ISPs) to identify and delete e-mail before it hits their clients."
Netcraft, a UK-based international Internet security services provider, offers statistics that show there were more than 609 000 confirmed phishing URLs in 2006, an enormous 15-fold jump from just 41 000 in 2005. But there is an alarming sting in this tail - almost half the total came in a single month, December. A staggering 277 000 unique URLs were detected in December 2006 alone, with 457 000 cumulatively in the last three months of the year.
Wright says Netcraft`s explanation for the sudden surge is the emergence of phishing-creation kits known collectively as "Rockfish" (or "R11"), which automate the rapid creation of scam Web sites. These allow sophisticated domain management, including webs of sub-domains, as part of the battle to overwhelm anti-phishing systems with vast numbers of short-lived sites that are impossible to keep tabs on or block.
If the Netcraft statistics are anything to go by, this trend is likely to continue its acceleration in 2007, meaning that anti-phishing engineers are now facing the prospect of having to block swarms of anti-phishing sites in real-time to make any impression on the phenomenon. This means that blocking phishing Web sites once detected is almost impossible due to the high number.
However, Wright says proper use of and adherence to the principle of "sender verification" coupled with customer/user education and collaboration with ISPs will very significantly reduce opportunities for phishing. The Internet industry and commercial users of e-mail technology need to co-operate fully to ensure that a concerted, co-ordinated anti-phishing drive gathers and sustains momentum.
"A sender verification strategy aims to increase the level of trust in legitimate e-mail from verified senders and there are a number of ways of doing it. Where we can raise the bar against phishing is to implement combinations of sender verification techniques that will dramatically curtail the number of phishing e-mails reaching customers and consumers."
The techniques that can be incorporated in such a strategy include digital signatures such as S/MIME and DKIM (DomainKeys identified mail) and Striata`s own anti-phishing device.
Another process that focuses on combating forgery of the "from address" is SPF (sender policy framework), which requires domain owners to publish their mail server settings as an SPF record in their DNS (domain name servers). This allows e-mail recipient e-mail servers to check whether the e-mail is coming from a server authorised to send e-mail for that specific domain. Still others are PCP (personal challenge phrase and/or image) and Web Trackback, which verifies e-mail content.
"Ignoring the phishing problem will not make it go away," says Wright. "Proven and readily available solutions already exist. What we need to do is to agree as an industry to adopt and adhere to the principle of combined techniques. If each of those techniques results in a 50% reduction of successful phishing attacks then a success rate of 98.5% is achievable."
Selecting the right technology solutions is the first step in the fight against phishing. The next logical step is to involve the ISPs. Wright says that if a bank implements a combination of technologies, getting the ISPs on board by giving them the mandate to summarily delete e-mails claiming to originate from the bank`s domain without a sender verification, adds far more power to the strategy.
Customers also need to share accountability for successful phishing attacks and this requires improved communication with and education of clients. Striata is introducing a six-point phishing education programme that Wright says will inform and educate even the "most computer-illiterate banking client".
In some parts of the world, banks have vetoed e-mail as a valid client communication tool but Wright says this is illogical in an age where e-mail is the most prolific form of business communication.
"E-mail has surpassed fax and post and is now relied upon for critical communication thanks to its ease of use, speed and low cost. It is used for everything from financial instructions, transmission of contracts and legal documents and information sharing of confidential documentation such as patent applications and business plans."
Banning e-mail makes no sense to the consumer. Every other service provider is communicating with them via e-mail, and so consumers expect banks to do so too and eagerly open, read and follow instructions, because they expect e-mail from their bank. This is the fundamental platform from which phishing is launched.
"Paradigm shift thinking is that banks should not stop sending e-mail but should send more of it in a structured, defined and identifiable manner," says Wright. "More frequent communication by e-mail educates consumers on how to identify a phishing e-mail and significantly reduces its chances of success.
"By stopping e-mail as a communication tool, the banks actually leave clients totally defenceless in identifying a phishing e-mail. They have nothing with which to make comparisons and they`re not being educated."
Share