Cover Story
PHISHING
DON'T GET HOOKED!

by Jochem Binst

   The summer of 2003 witnessed the birth of a new type of Internet-related fraud scheme. The fraudsters themselves have nicknamed the scheme "Phishing". And rightly so. What they do is fish for the na´ve end-user's static PIN code, bank account information or credit card number + expiration date. Once they have obtained that crucial secret information, they fish your bank account dry or they go shopping at your expense, using your credit card information. The right technology, strong user authentication and thoroughly informing the general public can dramatically reduce their catch.
   When a fraudster goes phishing, he typically uses the following scheme. To catch its victims' static PIN codes or credit card information, he creates a website identical to the web site of the financial institution where the end-user has a bank account. A bug in Microsoft Explorer is used to display the address of the 'real' website, thus masking the fact that the end-user is lead into a trap.
   As we said before, the fraudster wants to get possession of the end-user's static secret information. To obtain this information, he sends a mail broadcast from a fake server address to a multitude of e-mail addresses. After the unsuspecting victim enters his secret information on the 'fake' website, the gathered data can be processed in batch by the criminal whenever he feels like it. There is no time pressure at all. A batch process is extremely manageable, as the fraudster does not have to wait for username/password pairs to arrive. His victim will wake up one morning to find an unpleasant surprise, an empty bank account.
   Solutions to prevent phishing schemes are twofold.

Informing the Public

   The first part of the solution is all about creating awareness about the existence of phishing schemes. This is a task for governments, financial institutions, specialized organizations, media and security companies all over the world. At the moment this article is written, phishing as a phenomenon is more or less restricted to the Anglo-Saxon world, and specifically to the USA and the UK. Various organizations ( www.antiphishing.com ), the U.S. Federal Trade Commission (FTC), banks and security companies do their best to inform the public about the dangers of phishing.
   Nevertheless, MailFrontier found that 40% of people who read a fraudulent Citibank e-mail earlier this year thought it was real. We can only imagine what would happen if phishing would emerge in non-informed countries and regions. This clearly proves that informing the market is only a part of the solution.

Strong User Authentication

   Static passwords are just not suited to be used on an open channel such as the Internet. The solution is the use of time-based password generators, commonly known as strong authentication tokens.
   Strong authentication tokens create one-time passwords, changing every 36 seconds.
   There are 4 different modes in which strong authentication tokens can be used:

  • Time-based one-time passwords
  • Time-based challenge/response
  • Time-based signature function
  • Host/website authentication

   The two first modes will make sure that phishing becomes a far more difficult and, as such, dramatically less profitable activity for fraudsters.
   The 'basic' application, time-based one-time passwords, puts the fraudster under extreme time pressure, making it impossible to work in batch.
   Time-based challenge/response adds another security layer. The phisher has to wait for an end-user to send a username and he needs to interact in the communication between the user and the financial institution passing the challenge and getting the response.
   Time-based signature function and host/website authentication make phishing virtually impossible. Even if a fraudster gets hold of a digital signature used by a end-user to do a transaction, he can't re-use it. The transaction data cannot be altered and a new digital signature is required. No catch during this phishing trip.
   Host/website authentication allows the end-user to check the authenticity of the website he is visiting, by authenticating his bank. Again, the phisherman's net will be empty.
   For credit and debit card transactions there is a solution too. Visa, MasterCard and Europay have launched EMV. This new smart card protocol will be the worldwide credit card standard and will replace the current generation of magnet stripe credit cards. The EMV card's chip allows financial institutions to add strong user authentication functionalities. That way, users wanting to use their credit cards to perform online transactions, will no longer have to give away their credit card number + expiration date on the Internet. The combination of an EMV card and a strong authentication token with card reading possibilities will suffice to securely process e-commerce transactions. The first EMV projects with strong authentication tokens are happening right now, by renowned financial organizations such as Barclaycard.
   Phishers take advantage of the lack of information about their schemes and the use of static secure information on the Internet. Although 100% security does not exist, we can securely state that the combination of an informed public and the use of strong authentication tokens are a simple and cost-effective answer to phishing schemes.