Phishing and Internet Banking Security

Short Description
Phishing is the fastest growing fraud on the Internet [3] and has been heavily in the media spotlight for the past year. A survey conducted by Gartner Group in 2004 estimated that 57 million Americans have received a phishing email in the past year [2]. This paper provides an introduction to phishing and implications for Internet Banking Security. Multiple techniques for mitigating the fraud are analyzed and it is argued that two-factor authentication widely deployed in the financial industry is a short-term solution that will not help against more advanced attacks. The paper concludes by proposing a more secure solution using digital signatures.

Website: ftp.software.ibm.com | Filesize: 267kb
No of Page(s): 7

Content
The Anatomy of a Phishing Attack
Phishing is a fraud utilizing social engineering designed to trick users to reveal sensitive personal information such as login IDs, passwords, and credit card details to fraudsters. The information is then (mis)used to transfer funds from the victim’s bank account, create false ATM card duplicates, perform identity theft etc.
The first generation of phishing attacks used fraudulent emails (bait) masquerading to come from well known organizations including banks and Internet services such as eBay and PayPal. A phishing mail is designed to look authentic by including e.g. logos and text styles of the company being impersonated, has a forged sender address etc. Most importantly, the mail contains a link to a bogus web site which appears to be identical to the organization’s real web site. The email entices the user to open the link by telling a deceptive lie – e.g. that the company has upgraded their computer systems and require the user to log on in order to “verify” his account details. If the user falls for the scam and reveals personal information on the site it will be collected by the fraudster for later abuse.
In theory, the use of SSL server certificates at web sites should allow the user to determine who he is communicating with. In practice however, it does not prevent users from being lured. We argue that an ideal security system should work even when the user fails to comply with basic security guidelines. Fraudulent web sites use a number of different techniques to hide that they are not authentic including overwriting or disguising the true URL shown in the browser, overlaying the genuine web site with a crafted pop-up window, drawing fake padlock images on top of the browser window to give the impression that SSL is enabled, and registering SSL certificates for domain names similar to the real organization etc. In practice, these tricks make it extremely difficult for the average user to distinguish a phishing site from a genuine.
…

Get the file Download here