Anti-Phishing Techniques: Protection Measures
If you are an Internet Banking user, you probably are already aware of phishing. If you are charged with the responsibility on building and operating an e-commerce application, phishing is probably one of your Top 3 concerns. Statistics indicate that more than 1000 phishing attacks are launched every month. To minimize impact of phishing attacks we need to look at protection, detection and response measures.
If you are an Internet Banking user, you probably are already aware of phishing. If you are charged with the responsibility on building and operating an e-commerce application, phishing is probably one of your Top 3 concerns. Statistics indicate that more than 1000 phishing attacks are launched every month. To minimize impact of phishing attacks we need to look at protection, detection and response measures. Some measures to explore include:
- What can we do to save my users from falling prey to phishers ? [Protection]
- How do we detect when an phisher is building a fake website and communicating to users? [Detection]
- What can we do to minimize the impact once a successful phish has been launched? [Response]
In this first part of the article series, we will focus on the protection measures to tackle phishing attacks. In the future parts, we will cover the other two aspects of anti-phishing measures.
Improving Site Authenticity
The root of the phishing problem is that users are not able to identify if the website is original or fake. Looking at the URL and SSL certificate carefully can really help but not all users have the time nor technical skill to analyze and make the correct judgement.
One method is to personalize the login page for each user. We do the login in two stages . First the user enters only the user-id and not the password. Once user-id is submitted, server returns a page where user gets to see an image which he had selected at time of registration. If the image is matching he supplies the password and all is fine. If the image is not being shown it raises an alert and customer does not provide the password. Phisher doesnot know which image to display in this intermediate page. Yes it depends on user being alert. Can a phisher setup a phishing site that acts like a man-in-the-middle - intercept the user-id , send to original site and fetch the image, send image back to user and get the password. Yes, it is technically possible.
The user requires a login-id/static password[often called PIN] and a dynamic one time password for successful login. This one time password is generated on a hardware token [or a software token] provided to each user. These tokens automatically generate a new one-time-password every 60 seconds.
We are not fighting the real problem here. Users will still get tricked into providing their passwords at the phishing site. But these passwords are only valid for 60 seconds. If the phisher is not able to use it in near-real-time [within 60 seconds] the stolen password is useless. However, as was proven recently, phishers are getting more real-time.
Alternatively, instead of supplying tokens to users, the server can generate the one-time password. Once the login/static-password is validated the one time password can be generated by server and SMSed to user's cellphone. This virtually prevents phishing attacks because attackers can never receive this SMS. But are we saying all users need to have mobile phones and if they are travelling they need to having roaming facility enabled on mobiles every time they need to do Internet Banking ? Is the overall cost of transaction increasing ?
Having seperate login and transaction password
Very relevant for banking and financial sites. This will ensure that even if login password is lost to phisher, transactions cannot be made.
Again we are not saving the users from being victims of phishing. We are just ensuring that even if the login password is lost , attacker can login and see the account details but cannot do something like a fund tranfer without knowing the transaction password. If the user has kept both passwords the same then there is no security at all. Alternatively a one time transaction password can also be generated dynamically by server and SMSed to user.
Personalize email communication
Phishing starts with an email. How will users differentiate a phishing mail from an authorised one ?. If we can personalize authorised emails and include some details which phishers will never have access to , there is good chance users will identify the phishing mail which doesnot have any of these. Some details that could be included in email communications are Customer's full name and last 4 digits of his account number.
Perhaps the best protection mechanism but the most difficult one to implement. If we can educate users about how to detect a phishing mail/site and how to securely access the website, a lot of phishing attacks will not succeed. Getting the user's attention to these security tips and advises is challenging. We could put this up on our login page or send it as emails . The method varies depending on the type of business and channels available to reach the user.
Should we implement all of these?
This is the predicament we face with most of security technologies. Should we provide better user experience at the cost of reduced security or improve security at the cost of user convenience. Will users do more business on Internet if security is enhanced? We should believe so. Several recent surveys indicate that lack of security is leading to loss of customer confidence in Internet commerce. That means users want appropriate security controls in place even if it means carrying a password token or getting their passwords on SMS. Today phishing is recognised by users as a real and potentially damaging threat. If we donot put in place appropriate anti-phishing controls our customers might go elsewhere to do business.
It is a cat-and-mouse game. Phishers are getting better every day. The security industry has taken up the challenge and today we have multiple solutions to the problem. We need to move towards effective solutions without over-burdening the user -like personalised images during login or passwords through SMS. Only time will tell , which of these will meet both objectives - survive the latest attacks and find user acceptance.