South African banks, Internet service providers (ISPs) and electronic messaging service specialists need to adopt a co-operative "coastguard" approach to overcome the threat posed by online fraud or "phishing".
"Co-operation and information sharing among major banks, will ensure a strong platform from which to fight this ongoing threat," said Mike Wright, CEO of Johannesburg-based international electronic secure e-mail and messaging specialist Striata.
"All of the parties involved have to present a united front to educate customers if we are to effectively combat ongoing efforts by criminals to defraud people by conning them into revealing their online banking details on copycat Web sites."
One of most positive outcomes of the recent Anti-Phishing Summit hosted by Striata is a mailing list for the sharing of information on phishing attempts and methodology, successful or otherwise. The summit was an opportunity for the major banks, ISPs and security vendors to promote co-operation in developing and implementing initiatives to combat phishing.
"Co-operation, good communication and the effective distribution of information is the bottom line. It is a fact that online fraudsters have South Africa in their sights, studying how we conduct our transactions, looking for weaknesses to exploit and for structures that may enable their scheme to work," added Wright.
"Banks generally have similarly high levels and methods of security. Co-operation will assist the entire online banking industry to overcome phishing much faster and more effectively. Currently speed is a critical element as once a false Web site has been detected, it needs to be shut down by the ISPs as quickly as possible."
Wright contends the new focus should be on preventing false e-mails from arriving in the intended victims` mailboxes. There are a number of preventive measures, starting with digital signatures, but banks will have to educate their customers to recognise these and provide recallable elements that assist the customer and the ISP to distinguish phishing e-mails from genuine e-mails.
"Banks will be working with digital certificates, SPF (sender policy framework) and DKIM (domain key identified mail) which are all complementary technologies that raise the overall preventative security barrier. However, because digital certificates require an action from the customer, who has to click on the icon to view the `trust`, we suggest a visual identification device that enables the customer to easily see that the mail is for him and genuinely comes from the bank."
The visual ID device could be the last four numbers of the individual`s cellphone, his daughter`s middle name or his breed of dog - something that a phisher, who relies on sending out millions of e-mails at random, wouldn`t have a chance of knowing.
"These measures would put a clamp on the scale of phishing," said Wright. "It would force them to be much more specific and focused. No longer could they go for a 0.01% success rate on a million e-mails. So in conventional `fishing` parlance, we would stop the guys with the nets and long lines and make them fish with rod and reel. Catching one at a time is a lot more difficult and in phishing terms requires very precise information, takes a lot more effort and is more costly. The chances of being caught are greatly increased too."
Wright also maintained that bank customers have to be alert and take responsibility for their online security, which in turn requires banks to educate and communicate with customers as well as provide ways for each individual to be able to recognise e-mails that are not genuine.
Anyone receiving an e-mail that they suspect is not genuine or is definitely a phishing attempt should report them or forward them to antiphishing@striata.com where they can be examined and distributed to the appropriate parties.
"I have no doubt that proper use of sender verification techniques coupled with customer/user education and collaboration with ISPs will very significantly reduce opportunities for phishing. The Internet industry and commercial users of e-mail technology need to co-operate fully to ensure that a concerted, co-ordinated anti-phishing drive gathers and sustains momentum in order to dramatically curtail the number of phishing e-mails reaching customers and consumers."
Share
Striata is passionate about reducing the challenges and costs associated with traditional communication. We understand the power and efficiency of electronic communication, from marketing and operational messages, to the delivery of confidential documents securely by e-mail. Striata specialises in the secure delivery and payment of bills, statements, payslips, invoices and all other confidential documents, via encrypted e-mail, and in maximising the adoption of electronic solutions. Striata has been a provider of software and services in the electronic messaging arena since 1999 and has offices in New York, London, Sydney and Johannesburg, as well as partners all over the world. Visit www.striata.com for more information.
Editorial contacts