Which of the following websites is least likely to be a target of phishing / pharming attacks?
- An ecommerce-enabled website having SSL encryption, password authentication mechanism, and which sends customer account statements via email.
- An internet banking website with SSL encryption, two-factor authentication and which does not send any customer information via email.
- An ecommerce-enabled website with no SSL-based login and a simple password authentication mechanism.
- An internet banking website with SSL encryption and multi-factor authentication. Additionally the website displays unique visual clues to each user.
The answer is (4). An SSL-enabled website with multi-factor authentication and unique visual clues is least likely to be a target. Let's look at the other options before we come to the explanation.
On the face of it, (2) looks like a good candidate. However having SSL encryption and two factor authentication is not enough. A phisher who manages to lure a user to the fake website can simply accept all input from user and pretend that the login information provided by the user is correct. The user thinks that he has logged into the website correctly. However there is no indication that the website can identify the user correctly. A phisher can still get away with the phishing scam.
Website (1) is more vulnerable than (2). Customers who are expecting emails from the website can be easily tricked by phishers into believing their mails to be genuine. A simple password authentication mechanism is also unsafe. Since there is no other factor required, a phisher armed with a user's compromised login id and password can do anything that the user can do.
Website (3) is the most vulnerable. Although the website may be using SSL encryption after the user logs in, the login screen can still be vulnerable to faking. The phisher's job becomes simpler because, at the time of login, the SSL warning dialog alerting the user about a fake website does not appear.
Website (4) displays visual clues to each user after successful login. This visual clue can be an image which the user has selected initially. This image appears everytime the user logs in. A non-tech savvy user can easily identify with visual clues and immediately find out if the website is genuine or not. A phisher will find it virtually impossible to duplicate this functionality on the fake website.
For more solutions on Phishing and Pharming, read our March article on Pharming.