Taking the human factor out of phishing prevention
The weakest link in the battle against identity theft via e-mail is the tendency of users to click first and think second--if at all. Three new prevention methods may be worth the steps they add to the process.
Phishing attacks are on the rise: the Anti-Phishing Work Group's April 2011 Global Phishing Survey (pdf) reports 67,677 phishing attempts in the second half of 2010, up from 48,244 in the first half of 2010, but down significantly from the 126,697 attacks recorded in the year-earlier period due to the Avalanche botnet.
Phishing attempts lasted an average of 73 hours in the last six months of 2010, up from 58 hours on average in the first half of the year, and from just under 32 hours in the second half of 2009.
When it comes to phishing prevention, the key is user education. First, because defending against online thieves is a cat-and-mouse game, and second, because even experienced and otherwise-cautious PC users have weak moments when they click a link they shouldn't trust, or go on auto-pilot and click through a warning dialog.
Of course, we're all fallible. We need phishing defenses that work despite of our carelessness. Three approaches to phishing prevention add a step to the authentication process to help thwart phishers. Keep in mind that none of the three protects against the dreaded man-in-the-middle attack, where the bad guy installs software on your system that intercepts and records all your online activities before passing your private information on to the legitimate site.
The key to combating man-in-the-middle attacks is to prevent the malware from installing on your PC by keeping your security software's real-time protection active and up-to-date, and by scanning your system regularly for malware infections.
Use an image to verify the sign-in screen
Consider the number of times you enter a user ID and password in the course of a computing session. The sign-in screens start to look alike, which makes it easy to enter your sign-in data on a page a hacker has crafted to look like a legitimate service's authentication process.
Commerce Bank is one of several online financial services that have implemented an image-matching procedure that asks their online customers to select a security image and caption that will display on the sign-in page. Customers are instructed not to sign in if they don't see their security image and instead to call a toll-free number.
This doesn't prevent people from ignoring the lack of a security image and signing in anyway, nor will it prevent a man-in-the-middle attack (as I mentioned above), but its added layer of protection can make a big difference.
Send a one-time password via SMS
Likewise, one-time passwords don't protect against man-in-the-middle attacks--as Gurudatt Shenoy points out on the InfoSec Island site--but sending a one-time code to a mobile phone or other device via SMS will stymie most phishing attempts.
There are a couple of other downsides to one-time passwords: they make the sign-in process longer and more complicated, and the second-level validation introduces another potential failure point. If you don't have access to your phone, you can't get access to your account.
In a post last month I described how Gmail and Facebook take different approaches to their use of one-time passwords to secure sign-ins at public Wi-Fi access points and other unsafe locations.
Banks add a transaction password to safeguard online funds transfers
Imagine that a thief has acquired your online bank account sign-in credentials and attempts to transfer money out of your account and into the thief's. But up pops a request for the thief to enter another password tied specifically to this type of transaction. That's the idea behind transaction passwords.
Transaction passwords can also be one-time passwords that are sent to a mobile phone or other device via SMS. To date few banks outside of Asia have implemented transaction passwords for account transfers and other sensitive online-banking activities. Whether the technology is ever adopted widely is anybody's guess.
But the facts are, phishing attacks are growing in number, becoming more sophisticated, and lasting longer. All three factors increase the threat's potential for damage. Protecting online bank accounts and other targets of Web thieves will require that PC users be aware of and avoid phishing attacks. However, past experience teaches that no security system that relies on the vigilance of users can be considered safe.
While user education is a key element of the war against phishing, new tools must be developed and implemented that nip the phishers in the bud--whether by improving the ability of e-mail filters to spot and delete phishing attempts before they get to users, or by preventing damage when a user takes the bait. We'll never be able to rely on the ability and willingness of users to spot and avoid such attacks.