The problem for banks and other financial institutions is that the percentage of users does not need to be very high for it to be worthwhile for the phishers to continue in their activities.
It might be hoped that customers could be educated not to trust these emails, but the phishers are getting more sophisticated, and the emails more convincing. There's evidence to suggest, for instance, that phishers are targeting recent successful eBay bidders – within minutes of the close of an auction – in an attempt to convince them that before they complete the sale, they must change their account details. Needless to say, the link in the email is not to eBay – or not straight to eBay – but to another site entirely. This time-sensitive attack is a new one – and requires quite a high level of organisation and planning on the part of the phishers: it's not about sending out a few tens of thousands of spam messages, but about selecting a likely target and tuning the attack accordingly. It's like an evolutionary war between predators and prey: the sophistication of the attack increases as the sophistication of the customer does. The problem is that the attacker doesn't need to target the most sophisticated, but the least.
We can expect the war between the phishers and those phished – financial institutions' customers – to continue unabated, and although education is an important weapon to be wielded, it is not going to resolve the conflict. Quite apart from any other considerations, the return on investment from continued education campaigns will reduce as those who can be educated are, and those who can't just pay less and less attention.
Another technique that should be part of the armoury is the normal SSL/TLS protocol that secures the link between the customer's web browser and the bank. Rather, it is supposed to secure this link, but although a customer can "click" on the padlock to check the security of the link, few do, and even then, the information provided is such that it is almost impossible for even a security professional to be able to divine whether the connection is to the right website, or is secure. There are a variety of tools to improve the quality of the information about websites, and these, too are valuable weapons in the armoury of the customer.
But it is the banks and other financial organisations that need to take control and to protect their flock of customers from the ravaging packs of phishers. Although individual customers may take steps to protect themselves, and can be aided and guided by banks to do so, it is through a system-led improvement that the battles to beat the phishers can be won, and the progress of the war tipped in the bank's favour. The great weakness of the systems currently in place is that they rely on a piece of information that is unchanging, and which, once discovered, can be used again and again: the user's password. This may be long, it may be short, the bank may try to reduce the re-use of parts of it by requesting only certain digits – but if it is compromised, then the attackers have access to what they want.
There are, however, weapons that the banks themselves can deploy, particularly around authentication. The most obvious of these is to use a dynamically produced one-time password (an OTP). This is used only once, and changes based either on time or an event such as the customer pressing a button. This means that passwords, once used, are useless to attackers – harvesting them is pointless. However, a determined and resourceful attacker might, via a man-in-the-middle attack, harvest and use OTPs in real-time, changing the details of a payment, for instance, to credit a different account, in a different currency, for a different amount. To combat these types of attack, message-based authentication can help: a cryptographic message is formed – which can't be reverse-engineered – which includes the details of the transaction.
The message, then, is that there are a variety of different defences, which should be used in conjunction, based on need. And any defence against attacks must, of course, be cost-effective. But cost, in this context, is less tangible than it might immediately seem. The obvious calculation might be: "if we can spend less on a defence than our losses if we don't, then it's cost-effective." This, however, ignores the fact that there are other types of cost which are equally important to banks, and high on that list are reputation and customer confidence. If customers are lost due to a perception that a bank is insecure, all of their business is gone, and new customers will be hard to come by. And if customers lose confidence in Internet banking, then the old, expensive alternatives of telephone banking and branch banking will have to be reconsidered.
On the other hand, however, the risks of these losses happening are quantifiable, and the correct trade-off has to be to reduce risk to an acceptable level, given the current state-of-the-art in phishing, cost of counter-measures, and ability of customers to resist attacks. The banks must act to ensure that the corral around their customers is secure enough to deter all but the most determined attacker, but they must also keep ahead of the game, and be ready to react as attackers become more determined or more sophisticated, as new defences become available - and as competitors move in for a bit of rustling.
The author is UK Technical Manager for Cryptomathic Ltd.
Cryptomathic Ltd. are exhibiting at Infosecurity Europe 2005 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th - 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk