In partnership with the Silicon Valley-based SRI International, an independent research and technology development firm, APWG has published a report, "Online Identity Theft: Technology, Chokepoints and Countermeasures," which identifies common vulnerabilities and offers advice to e-commerce firms on how to protect their systems.
"Discussions of counter-phishing strategies often turn into storytelling sessions, which are useful but not effectively prescriptive," said Peter Cassidy, Anti-Phishing Working Group secretary general.
"With this report, researchers finally shine a flashlight into the engine room of e-commerce systems, give names to the gremlins, tell us where to find them and posit interventions that can take the components and protocols phishers exploit out of their grasp."
The report, commissioned by the U.S. Department of Homeland Security Science and Technology Directorate, is intended for technical practitioners, researchers and security executives. Conducted by independent research organization Radix Labs, the study provides analysis of counter-phishing technology. It details technologies used by online identity thieves and explores methods that could dramatically reduce financial losses and consumer distrust.
"Analysts estimate that online identity theft and fraud cost U.S. banks and credit card issuers $1.2 billion in 2003, and this cost continues to steadily grow," said Patrick Lincoln, Ph.D., director of SRI International's Computer Science Laboratory.
"This new report was commissioned to increase awareness of the problem, offer new information about technology solutions and stimulate innovation. We see many opportunities to prevent phishing through new security technologies and hope this report will encourage innovative approaches to solving the problem."
"Instead of looking at individual pieces of the problem, we constructed an information flow that applies to all types of phishing attacks," added Aaron Emigh of Radix Labs, author of the report.
"The report identifies chokepoints, which are points in the flow where there is an opportunity to stop a phishing attack. It offers countermeasures that can be applied at each chokepoint, drawn from existing technologies, new products, and academic research."
The full report is available for download at: http://www.antiphishing.org/Phishing-dhs-report.pdf.