Thursday, April 06, 2006

Phishing: Why it Works and What is Next...

If you have ever wondered Why Phishing Works, you need to read this article by Rachna Dhamija at Harvard University, J. D. Tygar, and Marti Hearst from UC Berkeley.

What makes a web site credible? This question has been addressed extensively by researchers in computer-human interaction. This paper examines a twist on this question:

What makes a bogus website credible?
In the last two years, Internet users have seen the rapid expansion of a scourge on the Internet: phishing, the practice of directing users to fraudulent web sites. This question raises fascinating questions for user interface designers, because both phishers and anti-phishers do battle in user interface space. Successful phishers must not only present a high credibility web presence to their victims; they must create a presence that is so impressive that it causes the victim to fail to recognize security measures installed in web browsers.


The phishers are very good and spoofing financial services web sites to the tune of more than 2 million users being fooled last year alone. The web site designers are doing their best to create a site that is so sophisticated in it's look that it is more difficult to replicate on a fraudulent site and URL. The point is, we as consumers are always being asked for information only we would know, or information that we have to authenticate ourselves.

Why can't we turn this problem upside down? Why can't I authenticate the banks web site by asking the bank for a piece of information that only they have or would know the answer to? Some tools and technologies already exist to help with this upside down thinking. Bank of America is using SiteKey, that retrieves a graphical image from it's database, one that I have personally picked and no one else "should" be able to replicate. The answers are on the way.

Chris Young
Senior Vice President and General Manager, Consumer Solutions Division
RSA Security

As senior vice president of the Consumer Division at RSA Security, Christopher Young is responsible for driving the company’s consumer identity protection strategy, including the delivery of RSA® Authentication Service to provide simple and secure layered and two-factor authentication to all online users.

Cyota FraudAction Service is just one example of some new and exciting anti-fraud solutions on the way.

No comments: