Goin’Phishing --- Karen Krebsbach --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://www.banktechnews.com/cgi-bin/readstory.pl?story=20040401BTNC886.xml

Goin’Phishing
Author: Karen Krebsbach

Growing e-mail attacks threaten banks’ bottom lines

Banks have battled worms, viruses, trojan horses and spyware with ample equanimity for years. But the most formidable combatant on the scam scene is proving to be purveyors of phishing, the distribution of spoofed e-mail messages with return addresses, links and branding art that make the e-mails appear to come from banks, insurers, payment firms, retailers or credit card companies. Their goal? To suck in bank account, password and credit card data from unsuspecting accountholders.

Victims since December have included customers of Citibank, eBay, PayPal, Wachovia, Bank of America, Visa and Wells Fargo, all of whom have publicly warned of nearly 10 variants of phishing attacks. Scammers even have rattled the cages of two top government and industry bigwigs, the Federal Deposit Insurance Corp. and the American Bankers Association. Even the FBI, itself a victim of phishing, has denounced it as “the most troubling new scam on the Internet.”

Phishing attacks, which hit Australian and U.K. banks hard last summer and fall, have been particularly virulent and more sophisticated against U.S. institutions since November, says the Anti-Phishing Working Group, an industry group of banks and vendors created by Tumbleweed Communications, an Internet messaging software firm. According to a spokesman, the number of different global phishing attacks spiked 60 percent in February, up from a 52 percent hike the previous month. The group only began tracking attacks in early November. But there will be 9,000 unique incidents globally this year, a far cry from the 282 reported in February alone, predicts Elizabeth Robertson, a senior analyst at Needham, MA-based TowerGroup.

“Banks might have a slightly greater sense of urgency about phishing now,” agrees David Jevans, chairman and founding member of the APWG and a svp at Tumbleweed. “The problem really did emerge quickly. It didn’t exist at this level four or five months ago.” Most educated Web trawlers know

providing account and password details in an e-mail is a big mistake, but phishers specialize in fooling the average consumer. Not only is the e-mail usually HTML-based, but the return address also appears to be accurate and bears the authentic trademarks, logos, graphics and URLs of the spoofed company.

The financial windfall for attackers is potentially enormous. Analysts estimate that up to 5 percent of e-mail requests actually succeed in obtaining a client’s financial data, though it’s unclear how much of that data is ever used fraudulently. However, there are tangential costs to financial services: One top-20 U.S. bank fielded up to 90,000 phone calls per hour after a phishing attack in February paralyzed the bank for five hours, according to Jevans. He says several Australian banks have set aside a $2 million fund to cover losses associated with phishing.

The battle is about more than covering losses. Bank of America created a database of accountholders who received the e-mails, and is continuing to cross-check it against the accounts themselves, hoping to preempt any unauthorized charges or ID theft, says Rhonda MacLean, a BofA director of corporate information security and a Treasury-appointed sector coordinator for the financial services industry’s public/private partnership on critical infrastructure protection and homeland security. “Phishing is getting a lot of publicity, which is a good thing,” she says, noting that her bank has changed policy to allow call center staff to directly contact Web security staff if a phishing attack is suspected, since those employees are often the first to hear of a problem. That way the clock begins ticking earlier to get phishers’ Web sites shut down.

“Phishing is a major concern for banks because it hits at the root of customer confidence,” she says. “It is important that we figure out how to provide a level of assurance for the customer.” In addition to customer education, she says it’s also critical that banks continue to share information through industry groups.

But the most insidious damage is to a bank’s reputation in an age in which banking products and services are largely commodities. “Brand is everything,” observes Jevans, who estimates phishing costs financial institutions about $100,000 to $150,000 per attack. “There’s a lot of brand risk. Fraud is easier to sweep under the rug. It’s very different when one million people are getting e-mails from you. Are they likely to continue to do business with you? What’s a bank’s whole thing? Security. Safety. Trust. Anything that undermines those issues can’t be good.”

When London-based NatWest was hit by a phishing scam last October, it shut down its Web site and the firm was forced to field thousands of phone calls from angry customers. Similar scams hit Barclays and Lloyds TSB last autumn. In the U.S., Citigroup has been the largest bank victim to date, and the second most-attacked company after eBay, with 58 attacks in February, 35 in January, 17 in December and six in November, according to APWG statistics. Bank officials, however, declined to be interviewed on the subject.

Jevans estimates that fewer than 10 percent of all banks have sufficiently robust e-mail security for their customers, which he suggests includes technology that scans and filters the bank’s e-mail—and alerts handlers of potential scams. Banks that want to fight phishing at its roots should have strong Web site authentication, mail server authentication and digitally signed e-mail with both gateway and desktop verification, he says. Super regionals or big banks can expect to spend between $200,000 and $1 million annually to fight phishing, says Jevans, who estimates authentication software alone could cost between $20 and $100 per e-mail user.

Perhaps the most troubling new kind of phishing scam, however, is the “layered site,” says Robertson. This kind of e-mail, which hit Australian bank Westpac in March, offers links to Web sites that successfully mimic the bank’s site, but overlays the authentic site so when financial data is extracted, the fake site fades and the real site emerges. A customer not paying attention to the fade-out might not even realized he’d been scammed, she says, noting it “is a scary new development.” Other scams download keystroke spyware onto clients’ hard drives that report back to fraudsters. Late last month, Cyota, a provider of anti-fraud and security products, pointed out another problematic trend: simultaneous attacks from multiple locations, which makes it even more difficult to track fraudsters.

Though law enforcement efforts have thus far been largely futile, analysts say virus-protection firms and financial firms have tracked fraudsters to the Philippines, South Korea, Russia and China. “It’s difficult to tear [the Web sites] down and confiscate [the data],” says Jevans, who estimates it takes about 60 hours to track a scam to its source. “Then you have to speak the local language, threaten them or have local law enforcement threaten them. It’s hard.” Tracking the funds is often impossible, especially if the stolen money is filtered through temporary accounts and electronically moved to offshore accounts.

Phishing turns the table on consumers, says Mark Rasch, chief security counsel for Solutionary, Inc., an Omaha-based managed security services provider. “What phishing demonstrates is that in the real world, we have a paradigm where the teller asks us for an ID,” he says. “We don’t have the paradigm where we go to the teller and ask the bank for ID.” The best defense, he says, are secure socket layer, or SSL, certificates for e-mail authentication, though it only verifies the session, not the user. And, he says, there have been reports of successful attacks on SSL lines.

While only a handful of true anti-phishing products have emerged to combat the problem head-on, most banks are dealing with problem on two levels: velocity and IP address pattern analysis and e-mail authentication. To date, there has been a fairly large correlation among spam, viruses and phishing, says Rasch. “So if you’re a bank, you want to scan as much spam as possible. Spam is a major vector for phishing and viruses and worms. …And we see more vulnerabilities every week.”

One of the more promising authentication approaches in the marketplace is from PassMark Security, an idea hatched by Bill Harris, former CEO of Intuit and PayPal, and Mark Goines, former svp in the consumer division of Intuit, which owns Quicken and TurboTax. PassMarks is designed to address phishing by offering financial institutions and e-commerce sites the ability to use a personalized image, chosen from the firm’s library or provided by the client himself, to authenticate company e-mails to the customer, as well as its Web site. For example, when a customer logs onto his bank’s Web site, the bank would show him his chosen PassMark. No software or hardware needs to be installed on the user’s computer.

“Customers tend to forget their passwords, but they remember images,” says Harris. “You can’t always remember someone’s name, but you always remember their face. People are pattern-recognition machines.” Software fees for the first 1 million customers cost between 50 cents and 60 cents per customer per year, depending upon whether the bank takes a bare bones contract or or a full-service contract. For between two million and three million customers, that range hovers between 25 cents and 30 cents per customer per year; for more than three million customers, the fee ranges between five cents and 10 cents per customer annually. But for small banks, the cost can be as high as $1 per client.

Managed e-mail providers like Solutionary, MessageLabs and Symantec Corp. all offer their round-the-clock monitoring for systems security breaches, which include phishing. Another option is Digital Envoy’s IP Inspector E-scam, which allows consumers to verify the origin of suspect e-mails and check the validity of embedded URLs in emails. Cyota’s FraudAction includes several modules, including its Real-time Detection and Alerts Module, offered as an outsourced option. Another is Digital Envoy’s IP Inspector E-scam , which allows consumers to verify the origin of suspect e-mails and check the validity of embedded URLs in e-mails. On the consumer end, there are two promising products: WholeSecurity’s Confidence Online, which goes after viruses that download spyware that tracks activity like keylogging, and PostX Corp.’s Trusted Dialog, which reviews incoming e-mails for potential viruses and phishing scams.

Will phishing predators dampen the growth of on-line banking or e-commerce? No analysts would guess how much damage the scams may do in these realms,but they all agreed it’s bound to reduce transactions. More than 30 percent of all bank consumers in the U.S. do some kind of on-line banking; and the National Retail Federation says e-commerce topped $96 billion in 2003. “This will probably dampen on-line banking,” predicts Jevans. “It’s going to get soft. But it really will have an effect if this keeps going to two years.”

Rasch guesses the impact will be hardest with on-line commerce. “E-commerce represents a huge, tremendous cost savings for financial services firms, but that only works if consumers are willing to trust them,” he says. “Phishing attacks mean banks and retailers can no longer communicate with their customers through e-mail because they may not believe it. How do you go about effectively communicating with clients when your main channel of low-cost communication—e-mail —has been compromised? ...What phishing does is undermine the confidence of all e-commerce. People are already reticent to do e-commerce using critical information like credit cards. They are only willing to if we can do it really securely. This just stunts people’s acceptance of technology.”

But Robertson says it’s too early to tell whether phishing will frighten on-line customers off the Web—or just make them more wary. “It will definitely scare people who don’t know enough about how phishing scams work,” she says. “It’s up to banks to promote strong communication methodology and make sure their clients are educated and use strong authentication methods when they come to the site.”

Christopher Musto, vp of research with Watchfire’s GomezPro, a market research and benchmarking firm that once belonged to Gomez Inc., says phishing may merely slow down the adoption of Web commerce and banking. “It will stunt the growth of on-line banking,” he predicts. “People who were thinking of banking on-line will use this as another excuse not to bank on-line now. It will hurt its growth, but a lot will depend on how this pans out and whether banks can stay ahead of phishers.”

Staying ahead is the operative phrase, but that’s a team sport, says BofA’s MacLean. “It is so easy and cheap to perpetrate this kind of scam that everyone needs to be vigilant.”